idnits 2.17.1 draft-ietf-httpbis-semantics-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 6 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The abstract seems to indicate that this document obsoletes RFC7615, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7538, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7231, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7232, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7233, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7235, but the header doesn't have an 'Obsoletes:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 9, 2019) is 1875 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2145' is defined on line 7742, but no explicit reference was found in the text == Unused Reference: 'RFC7232' is defined on line 7840, but no explicit reference was found in the text == Unused Reference: 'RFC7233' is defined on line 7845, but no explicit reference was found in the text == Unused Reference: 'RFC7235' is defined on line 7850, but no explicit reference was found in the text == Unused Reference: 'RFC7615' is defined on line 7863, but no explicit reference was found in the text == Unused Reference: 'RFC7617' is defined on line 7873, but no explicit reference was found in the text == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-cache-04 -- Possible downref: Normative reference to a draft: ref. 'Caching' == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-messaging-04 -- Possible downref: Normative reference to a draft: ref. 'Messaging' ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 1950 ** Downref: Normative reference to an Informational RFC: RFC 1951 ** Downref: Normative reference to an Informational RFC: RFC 1952 -- Possible downref: Non-RFC (?) normative reference: ref. 'USASCII' -- Possible downref: Non-RFC (?) normative reference: ref. 'Welch' -- Duplicate reference: RFC2978, mentioned in 'Err5433', was also mentioned in 'Err1912'. -- Obsolete informational reference (is this intentional?): RFC 2068 (Obsoleted by RFC 2616) -- Obsolete informational reference (is this intentional?): RFC 2145 (Obsoleted by RFC 7230) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Duplicate reference: RFC2978, mentioned in 'RFC2978', was also mentioned in 'Err5433'. -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) -- Obsolete informational reference (is this intentional?): RFC 7231 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7232 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7233 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7235 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7538 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7615 (Obsoleted by RFC 9110) Summary: 4 errors (**), 0 flaws (~~), 11 warnings (==), 27 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group R. Fielding, Ed. 3 Internet-Draft Adobe 4 Obsoletes: M. Nottingham, Ed. 5 7230,7231,7232,7233,7235,7538 Fastly 6 ,7615 (if approved) J. Reschke, Ed. 7 Intended status: Standards Track greenbytes 8 Expires: September 10, 2019 March 9, 2019 10 HTTP Semantics 11 draft-ietf-httpbis-semantics-04 13 Abstract 15 The Hypertext Transfer Protocol (HTTP) is a stateless application- 16 level protocol for distributed, collaborative, hypertext information 17 systems. This document defines the semantics of HTTP: its 18 architecture, terminology, the "http" and "https" Uniform Resource 19 Identifier (URI) schemes, core request methods, request header 20 fields, response status codes, response header fields, and content 21 negotiation. 23 This document obsoletes RFC 7231, RFC 7232, RFC 7233, RFC 7235, RFC 24 7538, RFC 7615, and portions of RFC 7230. 26 Editorial Note 28 This note is to be removed before publishing as an RFC. 30 Discussion of this draft takes place on the HTTP working group 31 mailing list (ietf-http-wg@w3.org), which is archived at 32 . 34 Working Group information can be found at ; 35 source code and issues list for this draft can be found at 36 . 38 The changes in this draft are summarized in Appendix I.5. 40 Status of This Memo 42 This Internet-Draft is submitted in full conformance with the 43 provisions of BCP 78 and BCP 79. 45 Internet-Drafts are working documents of the Internet Engineering 46 Task Force (IETF). Note that other groups may also distribute 47 working documents as Internet-Drafts. The list of current Internet- 48 Drafts is at https://datatracker.ietf.org/drafts/current/. 50 Internet-Drafts are draft documents valid for a maximum of six months 51 and may be updated, replaced, or obsoleted by other documents at any 52 time. It is inappropriate to use Internet-Drafts as reference 53 material or to cite them other than as "work in progress." 55 This Internet-Draft will expire on September 10, 2019. 57 Copyright Notice 59 Copyright (c) 2019 IETF Trust and the persons identified as the 60 document authors. All rights reserved. 62 This document is subject to BCP 78 and the IETF Trust's Legal 63 Provisions Relating to IETF Documents 64 (https://trustee.ietf.org/license-info) in effect on the date of 65 publication of this document. Please review these documents 66 carefully, as they describe your rights and restrictions with respect 67 to this document. Code Components extracted from this document must 68 include Simplified BSD License text as described in Section 4.e of 69 the Trust Legal Provisions and are provided without warranty as 70 described in the Simplified BSD License. 72 This document may contain material from IETF Documents or IETF 73 Contributions published or made publicly available before November 74 10, 2008. The person(s) controlling the copyright in some of this 75 material may not have granted the IETF Trust the right to allow 76 modifications of such material outside the IETF Standards Process. 77 Without obtaining an adequate license from the person(s) controlling 78 the copyright in such materials, this document may not be modified 79 outside the IETF Standards Process, and derivative works of it may 80 not be created outside the IETF Standards Process, except to format 81 it for publication as an RFC or to translate it into languages other 82 than English. 84 Table of Contents 86 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 87 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 9 88 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 9 89 2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 10 90 2.1. Client/Server Messaging . . . . . . . . . . . . . . . . . 10 91 2.2. Intermediaries . . . . . . . . . . . . . . . . . . . . . 12 92 2.3. Caches . . . . . . . . . . . . . . . . . . . . . . . . . 14 93 2.4. Uniform Resource Identifiers . . . . . . . . . . . . . . 14 94 2.5. Resources . . . . . . . . . . . . . . . . . . . . . . . . 15 95 2.5.1. http URI Scheme . . . . . . . . . . . . . . . . . . . 16 96 2.5.2. https URI Scheme . . . . . . . . . . . . . . . . . . 17 97 2.5.3. Fragment Identifiers on http(s) URI References . . . 18 98 2.5.4. http and https URI Normalization and Comparison . . . 18 99 3. Conformance . . . . . . . . . . . . . . . . . . . . . . . . . 19 100 3.1. Implementation Diversity . . . . . . . . . . . . . . . . 19 101 3.2. Role-based Requirements . . . . . . . . . . . . . . . . . 19 102 3.3. Parsing Elements . . . . . . . . . . . . . . . . . . . . 20 103 3.4. Error Handling . . . . . . . . . . . . . . . . . . . . . 21 104 3.5. Protocol Versioning . . . . . . . . . . . . . . . . . . . 21 105 4. Message Abstraction . . . . . . . . . . . . . . . . . . . . . 22 106 4.1. Header Field Names . . . . . . . . . . . . . . . . . . . 22 107 4.1.1. Header Field Name Registry . . . . . . . . . . . . . 25 108 4.1.2. Header Field Extensibility . . . . . . . . . . . . . 26 109 4.1.3. Considerations for New Header Fields . . . . . . . . 26 110 4.2. Header Field Values . . . . . . . . . . . . . . . . . . . 27 111 4.2.1. Header Field Order . . . . . . . . . . . . . . . . . 28 112 4.2.2. Header Field Limits . . . . . . . . . . . . . . . . . 29 113 4.2.3. Header Field Value Components . . . . . . . . . . . . 29 114 4.2.4. Designing New Header Field Values . . . . . . . . . . 30 115 4.3. Whitespace . . . . . . . . . . . . . . . . . . . . . . . 31 116 4.4. Trailer . . . . . . . . . . . . . . . . . . . . . . . . . 31 117 5. Message Routing . . . . . . . . . . . . . . . . . . . . . . . 32 118 5.1. Identifying a Target Resource . . . . . . . . . . . . . . 32 119 5.2. Routing Inbound . . . . . . . . . . . . . . . . . . . . . 32 120 5.3. Effective Request URI . . . . . . . . . . . . . . . . . . 33 121 5.4. Host . . . . . . . . . . . . . . . . . . . . . . . . . . 33 122 5.5. Message Forwarding . . . . . . . . . . . . . . . . . . . 35 123 5.5.1. Via . . . . . . . . . . . . . . . . . . . . . . . . . 35 124 5.5.2. Transformations . . . . . . . . . . . . . . . . . . . 37 125 6. Representations . . . . . . . . . . . . . . . . . . . . . . . 38 126 6.1. Representation Data . . . . . . . . . . . . . . . . . . . 39 127 6.1.1. Media Type . . . . . . . . . . . . . . . . . . . . . 39 128 6.1.2. Content Codings . . . . . . . . . . . . . . . . . . . 41 129 6.1.3. Language Tags . . . . . . . . . . . . . . . . . . . . 43 130 6.1.4. Range Units . . . . . . . . . . . . . . . . . . . . . 44 131 6.2. Representation Metadata . . . . . . . . . . . . . . . . . 47 132 6.2.1. Content-Type . . . . . . . . . . . . . . . . . . . . 47 133 6.2.2. Content-Encoding . . . . . . . . . . . . . . . . . . 48 134 6.2.3. Content-Language . . . . . . . . . . . . . . . . . . 49 135 6.2.4. Content-Length . . . . . . . . . . . . . . . . . . . 50 136 6.2.5. Content-Location . . . . . . . . . . . . . . . . . . 51 137 6.3. Payload . . . . . . . . . . . . . . . . . . . . . . . . . 53 138 6.3.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . 53 139 6.3.2. Identification . . . . . . . . . . . . . . . . . . . 54 140 6.3.3. Content-Range . . . . . . . . . . . . . . . . . . . . 55 141 6.3.4. Media Type multipart/byteranges . . . . . . . . . . . 57 142 6.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 59 143 6.4.1. Proactive Negotiation . . . . . . . . . . . . . . . . 59 144 6.4.2. Reactive Negotiation . . . . . . . . . . . . . . . . 60 145 7. Request Methods . . . . . . . . . . . . . . . . . . . . . . . 61 146 7.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 61 147 7.2. Common Method Properties . . . . . . . . . . . . . . . . 63 148 7.2.1. Safe Methods . . . . . . . . . . . . . . . . . . . . 63 149 7.2.2. Idempotent Methods . . . . . . . . . . . . . . . . . 64 150 7.2.3. Cacheable Methods . . . . . . . . . . . . . . . . . . 64 151 7.3. Method Definitions . . . . . . . . . . . . . . . . . . . 65 152 7.3.1. GET . . . . . . . . . . . . . . . . . . . . . . . . . 65 153 7.3.2. HEAD . . . . . . . . . . . . . . . . . . . . . . . . 66 154 7.3.3. POST . . . . . . . . . . . . . . . . . . . . . . . . 66 155 7.3.4. PUT . . . . . . . . . . . . . . . . . . . . . . . . . 67 156 7.3.5. DELETE . . . . . . . . . . . . . . . . . . . . . . . 70 157 7.3.6. CONNECT . . . . . . . . . . . . . . . . . . . . . . . 71 158 7.3.7. OPTIONS . . . . . . . . . . . . . . . . . . . . . . . 72 159 7.3.8. TRACE . . . . . . . . . . . . . . . . . . . . . . . . 73 160 7.4. Method Extensibility . . . . . . . . . . . . . . . . . . 74 161 7.4.1. Method Registry . . . . . . . . . . . . . . . . . . . 74 162 7.4.2. Considerations for New Methods . . . . . . . . . . . 74 163 8. Request Header Fields . . . . . . . . . . . . . . . . . . . . 75 164 8.1. Controls . . . . . . . . . . . . . . . . . . . . . . . . 75 165 8.1.1. Expect . . . . . . . . . . . . . . . . . . . . . . . 76 166 8.1.2. Max-Forwards . . . . . . . . . . . . . . . . . . . . 78 167 8.2. Preconditions . . . . . . . . . . . . . . . . . . . . . . 79 168 8.2.1. Evaluation . . . . . . . . . . . . . . . . . . . . . 80 169 8.2.2. Precedence . . . . . . . . . . . . . . . . . . . . . 81 170 8.2.3. If-Match . . . . . . . . . . . . . . . . . . . . . . 83 171 8.2.4. If-None-Match . . . . . . . . . . . . . . . . . . . . 84 172 8.2.5. If-Modified-Since . . . . . . . . . . . . . . . . . . 85 173 8.2.6. If-Unmodified-Since . . . . . . . . . . . . . . . . . 86 174 8.2.7. If-Range . . . . . . . . . . . . . . . . . . . . . . 87 175 8.3. Range . . . . . . . . . . . . . . . . . . . . . . . . . . 89 176 8.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 90 177 8.4.1. Quality Values . . . . . . . . . . . . . . . . . . . 91 178 8.4.2. Accept . . . . . . . . . . . . . . . . . . . . . . . 92 179 8.4.3. Accept-Charset . . . . . . . . . . . . . . . . . . . 94 180 8.4.4. Accept-Encoding . . . . . . . . . . . . . . . . . . . 95 181 8.4.5. Accept-Language . . . . . . . . . . . . . . . . . . . 96 182 8.5. Authentication Credentials . . . . . . . . . . . . . . . 97 183 8.5.1. Challenge and Response . . . . . . . . . . . . . . . 97 184 8.5.2. Protection Space (Realm) . . . . . . . . . . . . . . 99 185 8.5.3. Authorization . . . . . . . . . . . . . . . . . . . . 100 186 8.5.4. Proxy-Authorization . . . . . . . . . . . . . . . . . 100 187 8.5.5. Authentication Scheme Extensibility . . . . . . . . . 101 188 8.6. Request Context . . . . . . . . . . . . . . . . . . . . . 103 189 8.6.1. From . . . . . . . . . . . . . . . . . . . . . . . . 103 190 8.6.2. Referer . . . . . . . . . . . . . . . . . . . . . . . 104 191 8.6.3. User-Agent . . . . . . . . . . . . . . . . . . . . . 105 192 9. Response Status Codes . . . . . . . . . . . . . . . . . . . . 106 193 9.1. Overview of Status Codes . . . . . . . . . . . . . . . . 107 194 9.2. Informational 1xx . . . . . . . . . . . . . . . . . . . . 108 195 9.2.1. 100 Continue . . . . . . . . . . . . . . . . . . . . 108 196 9.2.2. 101 Switching Protocols . . . . . . . . . . . . . . . 109 197 9.3. Successful 2xx . . . . . . . . . . . . . . . . . . . . . 109 198 9.3.1. 200 OK . . . . . . . . . . . . . . . . . . . . . . . 109 199 9.3.2. 201 Created . . . . . . . . . . . . . . . . . . . . . 110 200 9.3.3. 202 Accepted . . . . . . . . . . . . . . . . . . . . 110 201 9.3.4. 203 Non-Authoritative Information . . . . . . . . . . 111 202 9.3.5. 204 No Content . . . . . . . . . . . . . . . . . . . 111 203 9.3.6. 205 Reset Content . . . . . . . . . . . . . . . . . . 112 204 9.3.7. 206 Partial Content . . . . . . . . . . . . . . . . . 112 205 9.4. Redirection 3xx . . . . . . . . . . . . . . . . . . . . . 115 206 9.4.1. 300 Multiple Choices . . . . . . . . . . . . . . . . 117 207 9.4.2. 301 Moved Permanently . . . . . . . . . . . . . . . . 118 208 9.4.3. 302 Found . . . . . . . . . . . . . . . . . . . . . . 118 209 9.4.4. 303 See Other . . . . . . . . . . . . . . . . . . . . 119 210 9.4.5. 304 Not Modified . . . . . . . . . . . . . . . . . . 119 211 9.4.6. 305 Use Proxy . . . . . . . . . . . . . . . . . . . . 120 212 9.4.7. 306 (Unused) . . . . . . . . . . . . . . . . . . . . 120 213 9.4.8. 307 Temporary Redirect . . . . . . . . . . . . . . . 120 214 9.4.9. 308 Permanent Redirect . . . . . . . . . . . . . . . 121 215 9.5. Client Error 4xx . . . . . . . . . . . . . . . . . . . . 121 216 9.5.1. 400 Bad Request . . . . . . . . . . . . . . . . . . . 121 217 9.5.2. 401 Unauthorized . . . . . . . . . . . . . . . . . . 121 218 9.5.3. 402 Payment Required . . . . . . . . . . . . . . . . 122 219 9.5.4. 403 Forbidden . . . . . . . . . . . . . . . . . . . . 122 220 9.5.5. 404 Not Found . . . . . . . . . . . . . . . . . . . . 122 221 9.5.6. 405 Method Not Allowed . . . . . . . . . . . . . . . 123 222 9.5.7. 406 Not Acceptable . . . . . . . . . . . . . . . . . 123 223 9.5.8. 407 Proxy Authentication Required . . . . . . . . . . 123 224 9.5.9. 408 Request Timeout . . . . . . . . . . . . . . . . . 123 225 9.5.10. 409 Conflict . . . . . . . . . . . . . . . . . . . . 124 226 9.5.11. 410 Gone . . . . . . . . . . . . . . . . . . . . . . 124 227 9.5.12. 411 Length Required . . . . . . . . . . . . . . . . . 124 228 9.5.13. 412 Precondition Failed . . . . . . . . . . . . . . . 125 229 9.5.14. 413 Payload Too Large . . . . . . . . . . . . . . . . 125 230 9.5.15. 414 URI Too Long . . . . . . . . . . . . . . . . . . 125 231 9.5.16. 415 Unsupported Media Type . . . . . . . . . . . . . 125 232 9.5.17. 416 Range Not Satisfiable . . . . . . . . . . . . . . 126 233 9.5.18. 417 Expectation Failed . . . . . . . . . . . . . . . 126 234 9.5.19. 418 (Unused) . . . . . . . . . . . . . . . . . . . . 126 235 9.5.20. 422 Unprocessable Entity . . . . . . . . . . . . . . 127 236 9.5.21. 426 Upgrade Required . . . . . . . . . . . . . . . . 127 237 9.6. Server Error 5xx . . . . . . . . . . . . . . . . . . . . 127 238 9.6.1. 500 Internal Server Error . . . . . . . . . . . . . . 128 239 9.6.2. 501 Not Implemented . . . . . . . . . . . . . . . . . 128 240 9.6.3. 502 Bad Gateway . . . . . . . . . . . . . . . . . . . 128 241 9.6.4. 503 Service Unavailable . . . . . . . . . . . . . . . 128 242 9.6.5. 504 Gateway Timeout . . . . . . . . . . . . . . . . . 128 243 9.6.6. 505 HTTP Version Not Supported . . . . . . . . . . . 128 244 9.7. Status Code Extensibility . . . . . . . . . . . . . . . . 129 245 9.7.1. Status Code Registry . . . . . . . . . . . . . . . . 129 246 9.7.2. Considerations for New Status Codes . . . . . . . . . 129 247 10. Response Header Fields . . . . . . . . . . . . . . . . . . . 130 248 10.1. Control Data . . . . . . . . . . . . . . . . . . . . . . 130 249 10.1.1. Origination Date . . . . . . . . . . . . . . . . . . 131 250 10.1.2. Location . . . . . . . . . . . . . . . . . . . . . . 134 251 10.1.3. Retry-After . . . . . . . . . . . . . . . . . . . . 135 252 10.1.4. Vary . . . . . . . . . . . . . . . . . . . . . . . . 136 253 10.2. Validators . . . . . . . . . . . . . . . . . . . . . . . 137 254 10.2.1. Weak versus Strong . . . . . . . . . . . . . . . . . 138 255 10.2.2. Last-Modified . . . . . . . . . . . . . . . . . . . 139 256 10.2.3. ETag . . . . . . . . . . . . . . . . . . . . . . . . 141 257 10.2.4. When to Use Entity-Tags and Last-Modified Dates . . 145 258 10.3. Authentication Challenges . . . . . . . . . . . . . . . 145 259 10.3.1. WWW-Authenticate . . . . . . . . . . . . . . . . . . 146 260 10.3.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . 147 261 10.3.3. Authentication-Info . . . . . . . . . . . . . . . . 147 262 10.3.4. Proxy-Authentication-Info . . . . . . . . . . . . . 148 263 10.4. Response Context . . . . . . . . . . . . . . . . . . . . 149 264 10.4.1. Accept-Ranges . . . . . . . . . . . . . . . . . . . 149 265 10.4.2. Allow . . . . . . . . . . . . . . . . . . . . . . . 149 266 10.4.3. Server . . . . . . . . . . . . . . . . . . . . . . . 150 267 11. ABNF List Extension: #rule . . . . . . . . . . . . . . . . . 151 268 12. Security Considerations . . . . . . . . . . . . . . . . . . . 152 269 12.1. Establishing Authority . . . . . . . . . . . . . . . . . 152 270 12.2. Risks of Intermediaries . . . . . . . . . . . . . . . . 153 271 12.3. Attacks Based on File and Path Names . . . . . . . . . . 154 272 12.4. Attacks Based on Command, Code, or Query Injection . . . 154 273 12.5. Attacks via Protocol Element Length . . . . . . . . . . 155 274 12.6. Disclosure of Personal Information . . . . . . . . . . . 155 275 12.7. Privacy of Server Log Information . . . . . . . . . . . 155 276 12.8. Disclosure of Sensitive Information in URIs . . . . . . 156 277 12.9. Disclosure of Fragment after Redirects . . . . . . . . . 156 278 12.10. Disclosure of Product Information . . . . . . . . . . . 157 279 12.11. Browser Fingerprinting . . . . . . . . . . . . . . . . . 157 280 12.12. Validator Retention . . . . . . . . . . . . . . . . . . 158 281 12.13. Denial-of-Service Attacks Using Range . . . . . . . . . 159 282 12.14. Authentication Considerations . . . . . . . . . . . . . 159 283 12.14.1. Confidentiality of Credentials . . . . . . . . . . 159 284 12.14.2. Credentials and Idle Clients . . . . . . . . . . . 160 285 12.14.3. Protection Spaces . . . . . . . . . . . . . . . . . 160 286 12.14.4. Additional Response Header Fields . . . . . . . . . 161 287 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 161 288 13.1. URI Scheme Registration . . . . . . . . . . . . . . . . 161 289 13.2. Method Registration . . . . . . . . . . . . . . . . . . 161 290 13.3. Status Code Registration . . . . . . . . . . . . . . . . 161 291 13.4. Header Field Registration . . . . . . . . . . . . . . . 162 292 13.5. Authentication Scheme Registration . . . . . . . . . . . 162 293 13.6. Content Coding Registration . . . . . . . . . . . . . . 163 294 13.7. Range Unit Registration . . . . . . . . . . . . . . . . 163 295 13.8. Media Type Registration . . . . . . . . . . . . . . . . 163 296 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 163 297 14.1. Normative References . . . . . . . . . . . . . . . . . . 163 298 14.2. Informative References . . . . . . . . . . . . . . . . . 165 299 Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 171 300 Appendix B. Changes from RFC 7230 . . . . . . . . . . . . . . . 175 301 Appendix C. Changes from RFC 7231 . . . . . . . . . . . . . . . 176 302 Appendix D. Changes from RFC 7232 . . . . . . . . . . . . . . . 176 303 Appendix E. Changes from RFC 7233 . . . . . . . . . . . . . . . 176 304 Appendix F. Changes from RFC 7235 . . . . . . . . . . . . . . . 176 305 Appendix G. Changes from RFC 7538 . . . . . . . . . . . . . . . 176 306 Appendix H. Changes from RFC 7615 . . . . . . . . . . . . . . . 176 307 Appendix I. Change Log . . . . . . . . . . . . . . . . . . . . . 176 308 I.1. Between RFC723x and draft 00 . . . . . . . . . . . . . . 176 309 I.2. Since draft-ietf-httpbis-semantics-00 . . . . . . . . . . 177 310 I.3. Since draft-ietf-httpbis-semantics-01 . . . . . . . . . . 177 311 I.4. Since draft-ietf-httpbis-semantics-02 . . . . . . . . . . 179 312 I.5. Since draft-ietf-httpbis-semantics-03 . . . . . . . . . . 180 313 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 314 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 188 315 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 189 317 1. Introduction 319 The Hypertext Transfer Protocol (HTTP) is a stateless application- 320 level request/response protocol that uses extensible semantics and 321 self-descriptive messages for flexible interaction with network-based 322 hypertext information systems. HTTP is defined by a series of 323 documents that collectively form the HTTP/1.1 specification: 325 o "HTTP Semantics" (this document) 327 o "HTTP Caching" [Caching] 329 o "HTTP/1.1 Messaging" [Messaging] 331 HTTP is a generic interface protocol for information systems. It is 332 designed to hide the details of how a service is implemented by 333 presenting a uniform interface to clients that is independent of the 334 types of resources provided. Likewise, servers do not need to be 335 aware of each client's purpose: an HTTP request can be considered in 336 isolation rather than being associated with a specific type of client 337 or a predetermined sequence of application steps. The result is a 338 protocol that can be used effectively in many different contexts and 339 for which implementations can evolve independently over time. 341 HTTP is also designed for use as an intermediation protocol for 342 translating communication to and from non-HTTP information systems. 343 HTTP proxies and gateways can provide access to alternative 344 information services by translating their diverse protocols into a 345 hypertext format that can be viewed and manipulated by clients in the 346 same way as HTTP services. 348 One consequence of this flexibility is that the protocol cannot be 349 defined in terms of what occurs behind the interface. Instead, we 350 are limited to defining the syntax of communication, the intent of 351 received communication, and the expected behavior of recipients. If 352 the communication is considered in isolation, then successful actions 353 ought to be reflected in corresponding changes to the observable 354 interface provided by servers. However, since multiple clients might 355 act in parallel and perhaps at cross-purposes, we cannot require that 356 such changes be observable beyond the scope of a single response. 358 Each HTTP message is either a request or a response. A server 359 listens on a connection for a request, parses each message received, 360 interprets the message semantics in relation to the identified 361 request target, and responds to that request with one or more 362 response messages. A client constructs request messages to 363 communicate specific intentions, examines received responses to see 364 if the intentions were carried out, and determines how to interpret 365 the results. 367 HTTP provides a uniform interface for interacting with a resource 368 (Section 2.5), regardless of its type, nature, or implementation, via 369 the manipulation and transfer of representations (Section 6). 371 This document defines semantics that are common to all versions of 372 HTTP. HTTP semantics include the intentions defined by each request 373 method (Section 7), extensions to those semantics that might be 374 described in request header fields (Section 8), the meaning of status 375 codes to indicate a machine-readable response (Section 9), and the 376 meaning of other control data and resource metadata that might be 377 given in response header fields (Section 10). 379 This document also defines representation metadata that describe how 380 a payload is intended to be interpreted by a recipient, the request 381 header fields that might influence content selection, and the various 382 selection algorithms that are collectively referred to as "content 383 negotiation" (Section 6.4). 385 This document defines HTTP range requests, partial responses, and the 386 multipart/byteranges media type. 388 This document obsoletes the portions of RFC 7230 that are independent 389 of the HTTP/1.1 messaging syntax and connection management, with the 390 changes being summarized in Appendix B. The other parts of RFC 7230 391 are obsoleted by "HTTP/1.1 Messaging" [Messaging]. This document 392 also obsoletes RFC 7231 (see Appendix C), RFC 7232 (see Appendix D), 393 RFC 7233 (see Appendix E), RFC 7235 (see Appendix F), RFC 7538 (see 394 Appendix G), and RFC 7615 (see Appendix H). 396 1.1. Requirements Notation 398 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 399 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 400 document are to be interpreted as described in [RFC2119]. 402 Conformance criteria and considerations regarding error handling are 403 defined in Section 3. 405 1.2. Syntax Notation 407 This specification uses the Augmented Backus-Naur Form (ABNF) 408 notation of [RFC5234], extended with the notation for case- 409 sensitivity in strings defined in [RFC7405]. 411 It also uses a list extension, defined in Section 11, that allows for 412 compact definition of comma-separated lists using a '#' operator 413 (similar to how the '*' operator indicates repetition). Appendix A 414 shows the collected grammar with all list operators expanded to 415 standard ABNF notation. 417 As a convention, ABNF rule names prefixed with "obs-" denote 418 "obsolete" grammar rules that appear for historical reasons. 420 The following core rules are included by reference, as defined in 421 Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return), 422 CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double 423 quote), HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF 424 (line feed), OCTET (any 8-bit sequence of data), SP (space), and 425 VCHAR (any visible US-ASCII character). 427 The rules below are defined in [Messaging]: 429 obs-fold = 430 protocol-name = 431 protocol-version = 432 request-target = 434 This specification uses the terms "character", "character encoding 435 scheme", "charset", and "protocol element" as they are defined in 436 [RFC6365]. 438 2. Architecture 440 HTTP was created for the World Wide Web (WWW) architecture and has 441 evolved over time to support the scalability needs of a worldwide 442 hypertext system. Much of that architecture is reflected in the 443 terminology and syntax productions used to define HTTP. 445 2.1. Client/Server Messaging 447 HTTP is a stateless request/response protocol that operates by 448 exchanging messages (Section 2 of [Messaging]) across a reliable 449 transport- or session-layer "connection" (Section 9 of [Messaging]). 450 An HTTP "client" is a program that establishes a connection to a 451 server for the purpose of sending one or more HTTP requests. An HTTP 452 "server" is a program that accepts connections in order to service 453 HTTP requests by sending HTTP responses. 455 The terms "client" and "server" refer only to the roles that these 456 programs perform for a particular connection. The same program might 457 act as a client on some connections and a server on others. The term 458 "user agent" refers to any of the various client programs that 459 initiate a request, including (but not limited to) browsers, spiders 460 (web-based robots), command-line tools, custom applications, and 461 mobile apps. The term "origin server" refers to the program that can 462 originate authoritative responses for a given target resource. The 463 terms "sender" and "recipient" refer to any implementation that sends 464 or receives a given message, respectively. 466 HTTP relies upon the Uniform Resource Identifier (URI) standard 467 [RFC3986] to indicate the target resource (Section 5.1) and 468 relationships between resources. 470 Most HTTP communication consists of a retrieval request (GET) for a 471 representation of some resource identified by a URI. In the simplest 472 case, this might be accomplished via a single bidirectional 473 connection (===) between the user agent (UA) and the origin server 474 (O). 476 request > 477 UA ======================================= O 478 < response 480 A client sends an HTTP request to a server in the form of a request 481 message, beginning with a method (Section 7) and URI, followed by 482 header fields containing request modifiers, client information, and 483 representation metadata (Section 5 of [Messaging]), and finally a 484 message body containing the payload body (if any, Section 6 of 485 [Messaging]). 487 A server responds to a client's request by sending one or more HTTP 488 response messages, each beginning with a success or error code 489 (Section 9), possibly followed by header fields containing server 490 information, resource metadata, and representation metadata 491 (Section 5 of [Messaging]), and finally a message body containing the 492 payload body (if any, Section 6 of [Messaging]). 494 A connection might be used for multiple request/response exchanges. 495 The mechanism used to correlate between request and response messages 496 is version dependent; some versions of HTTP use implicit ordering of 497 messages, while others use an explicit identifier. 499 Responses (both final and non-final) can be sent at any time after a 500 request is received, even if it is not yet complete. However, 501 clients (including intermediaries) might abandon a request if the 502 response is not forthcoming within a reasonable period of time. 504 The following example illustrates a typical message exchange for a 505 GET request (Section 7.3.1) on the URI "http://www.example.com/ 506 hello.txt": 508 Client request: 510 GET /hello.txt HTTP/1.1 511 User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3 512 Host: www.example.com 513 Accept-Language: en, mi 515 Server response: 517 HTTP/1.1 200 OK 518 Date: Mon, 27 Jul 2009 12:28:53 GMT 519 Server: Apache 520 Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT 521 ETag: "34aa387-d-1568eb00" 522 Accept-Ranges: bytes 523 Content-Length: 51 524 Vary: Accept-Encoding 525 Content-Type: text/plain 527 Hello World! My payload includes a trailing CRLF. 529 2.2. Intermediaries 531 HTTP enables the use of intermediaries to satisfy requests through a 532 chain of connections. There are three common forms of HTTP 533 intermediary: proxy, gateway, and tunnel. In some cases, a single 534 intermediary might act as an origin server, proxy, gateway, or 535 tunnel, switching behavior based on the nature of each request. 537 > > > > 538 UA =========== A =========== B =========== C =========== O 539 < < < < 541 The figure above shows three intermediaries (A, B, and C) between the 542 user agent and origin server. A request or response message that 543 travels the whole chain will pass through four separate connections. 544 Some HTTP communication options might apply only to the connection 545 with the nearest, non-tunnel neighbor, only to the endpoints of the 546 chain, or to all connections along the chain. Although the diagram 547 is linear, each participant might be engaged in multiple, 548 simultaneous communications. For example, B might be receiving 549 requests from many clients other than A, and/or forwarding requests 550 to servers other than C, at the same time that it is handling A's 551 request. Likewise, later requests might be sent through a different 552 path of connections, often based on dynamic configuration for load 553 balancing. 555 The terms "upstream" and "downstream" are used to describe 556 directional requirements in relation to the message flow: all 557 messages flow from upstream to downstream. The terms "inbound" and 558 "outbound" are used to describe directional requirements in relation 559 to the request route: "inbound" means toward the origin server and 560 "outbound" means toward the user agent. 562 A "proxy" is a message-forwarding agent that is selected by the 563 client, usually via local configuration rules, to receive requests 564 for some type(s) of absolute URI and attempt to satisfy those 565 requests via translation through the HTTP interface. Some 566 translations are minimal, such as for proxy requests for "http" URIs, 567 whereas other requests might require translation to and from entirely 568 different application-level protocols. Proxies are often used to 569 group an organization's HTTP requests through a common intermediary 570 for the sake of security, annotation services, or shared caching. 571 Some proxies are designed to apply transformations to selected 572 messages or payloads while they are being forwarded, as described in 573 Section 5.5.2. 575 A "gateway" (a.k.a. "reverse proxy") is an intermediary that acts as 576 an origin server for the outbound connection but translates received 577 requests and forwards them inbound to another server or servers. 578 Gateways are often used to encapsulate legacy or untrusted 579 information services, to improve server performance through 580 "accelerator" caching, and to enable partitioning or load balancing 581 of HTTP services across multiple machines. 583 All HTTP requirements applicable to an origin server also apply to 584 the outbound communication of a gateway. A gateway communicates with 585 inbound servers using any protocol that it desires, including private 586 extensions to HTTP that are outside the scope of this specification. 587 However, an HTTP-to-HTTP gateway that wishes to interoperate with 588 third-party HTTP servers ought to conform to user agent requirements 589 on the gateway's inbound connection. 591 A "tunnel" acts as a blind relay between two connections without 592 changing the messages. Once active, a tunnel is not considered a 593 party to the HTTP communication, though the tunnel might have been 594 initiated by an HTTP request. A tunnel ceases to exist when both 595 ends of the relayed connection are closed. Tunnels are used to 596 extend a virtual connection through an intermediary, such as when 597 Transport Layer Security (TLS, [RFC5246]) is used to establish 598 confidential communication through a shared firewall proxy. 600 The above categories for intermediary only consider those acting as 601 participants in the HTTP communication. There are also 602 intermediaries that can act on lower layers of the network protocol 603 stack, filtering or redirecting HTTP traffic without the knowledge or 604 permission of message senders. Network intermediaries are 605 indistinguishable (at a protocol level) from a man-in-the-middle 606 attack, often introducing security flaws or interoperability problems 607 due to mistakenly violating HTTP semantics. 609 For example, an "interception proxy" [RFC3040] (also commonly known 610 as a "transparent proxy" [RFC1919] or "captive portal") differs from 611 an HTTP proxy because it is not selected by the client. Instead, an 612 interception proxy filters or redirects outgoing TCP port 80 packets 613 (and occasionally other common port traffic). Interception proxies 614 are commonly found on public network access points, as a means of 615 enforcing account subscription prior to allowing use of non-local 616 Internet services, and within corporate firewalls to enforce network 617 usage policies. 619 HTTP is defined as a stateless protocol, meaning that each request 620 message can be understood in isolation. Many implementations depend 621 on HTTP's stateless design in order to reuse proxied connections or 622 dynamically load balance requests across multiple servers. Hence, a 623 server MUST NOT assume that two requests on the same connection are 624 from the same user agent unless the connection is secured and 625 specific to that agent. Some non-standard HTTP extensions (e.g., 626 [RFC4559]) have been known to violate this requirement, resulting in 627 security and interoperability problems. 629 2.3. Caches 631 A "cache" is a local store of previous response messages and the 632 subsystem that controls its message storage, retrieval, and deletion. 633 A cache stores cacheable responses in order to reduce the response 634 time and network bandwidth consumption on future, equivalent 635 requests. Any client or server MAY employ a cache, though a cache 636 cannot be used by a server while it is acting as a tunnel. 638 The effect of a cache is that the request/response chain is shortened 639 if one of the participants along the chain has a cached response 640 applicable to that request. The following illustrates the resulting 641 chain if B has a cached copy of an earlier response from O (via C) 642 for a request that has not been cached by UA or A. 644 > > 645 UA =========== A =========== B - - - - - - C - - - - - - O 646 < < 648 A response is "cacheable" if a cache is allowed to store a copy of 649 the response message for use in answering subsequent requests. Even 650 when a response is cacheable, there might be additional constraints 651 placed by the client or by the origin server on when that cached 652 response can be used for a particular request. HTTP requirements for 653 cache behavior and cacheable responses are defined in Section 2 of 654 [Caching]. 656 There is a wide variety of architectures and configurations of caches 657 deployed across the World Wide Web and inside large organizations. 658 These include national hierarchies of proxy caches to save 659 transoceanic bandwidth, collaborative systems that broadcast or 660 multicast cache entries, archives of pre-fetched cache entries for 661 use in off-line or high-latency environments, and so on. 663 2.4. Uniform Resource Identifiers 665 Uniform Resource Identifiers (URIs) [RFC3986] are used throughout 666 HTTP as the means for identifying resources (Section 2.5). URI 667 references are used to target requests, indicate redirects, and 668 define relationships. 670 The definitions of "URI-reference", "absolute-URI", "relative-part", 671 "authority", "port", "host", "path-abempty", "segment", and "query" 672 are adopted from the URI generic syntax. An "absolute-path" rule is 673 defined for protocol elements that can contain a non-empty path 674 component. (This rule differs slightly from the path-abempty rule of 675 RFC 3986, which allows for an empty path to be used in references, 676 and path-absolute rule, which does not allow paths that begin with 677 "//".) A "partial-URI" rule is defined for protocol elements that 678 can contain a relative URI but not a fragment component. 680 URI-reference = 681 absolute-URI = 682 relative-part = 683 authority = 684 uri-host = 685 port = 686 path-abempty = 687 segment = 688 query = 690 absolute-path = 1*( "/" segment ) 691 partial-URI = relative-part [ "?" query ] 693 Each protocol element in HTTP that allows a URI reference will 694 indicate in its ABNF production whether the element allows any form 695 of reference (URI-reference), only a URI in absolute form (absolute- 696 URI), only the path and optional query components, or some 697 combination of the above. Unless otherwise indicated, URI references 698 are parsed relative to the effective request URI (Section 5.3). 700 2.5. Resources 702 The target of an HTTP request is called a "resource". HTTP does not 703 limit the nature of a resource; it merely defines an interface that 704 might be used to interact with resources. Each resource is 705 identified by a Uniform Resource Identifier (URI), as described in 706 Section 2.4. 708 One design goal of HTTP is to separate resource identification from 709 request semantics, which is made possible by vesting the request 710 semantics in the request method (Section 7) and a few request- 711 modifying header fields (Section 8). If there is a conflict between 712 the method semantics and any semantic implied by the URI itself, as 713 described in Section 7.2.1, the method semantics take precedence. 715 IANA maintains the registry of URI Schemes [BCP35] at 716 . Although requests 717 might target any URI scheme, the following schemes are inherent to 718 HTTP servers: 720 +------------+------------------------------------+---------------+ 721 | URI Scheme | Description | Reference | 722 +------------+------------------------------------+---------------+ 723 | http | Hypertext Transfer Protocol | Section 2.5.1 | 724 | https | Hypertext Transfer Protocol Secure | Section 2.5.2 | 725 +------------+------------------------------------+---------------+ 727 2.5.1. http URI Scheme 729 The "http" URI scheme is hereby defined for the purpose of minting 730 identifiers according to their association with the hierarchical 731 namespace governed by a potential HTTP origin server listening for 732 TCP ([RFC0793]) connections on a given port. 734 http-URI = "http:" "//" authority path-abempty [ "?" query ] 736 The origin server for an "http" URI is identified by the authority 737 component, which includes a host identifier and optional TCP port 738 ([RFC3986], Section 3.2.2). The hierarchical path component and 739 optional query component serve as an identifier for a potential 740 target resource within that origin server's name space. 742 A sender MUST NOT generate an "http" URI with an empty host 743 identifier. A recipient that processes such a URI reference MUST 744 reject it as invalid. 746 If the host identifier is provided as an IP address, the origin 747 server is the listener (if any) on the indicated TCP port at that IP 748 address. If host is a registered name, the registered name is an 749 indirect identifier for use with a name resolution service, such as 750 DNS, to find an address for that origin server. If the port 751 subcomponent is empty or not given, TCP port 80 (the reserved port 752 for WWW services) is the default. 754 Note that the presence of a URI with a given authority component does 755 not imply that there is always an HTTP server listening for 756 connections on that host and port. Anyone can mint a URI. What the 757 authority component determines is who has the right to respond 758 authoritatively to requests that target the identified resource. The 759 delegated nature of registered names and IP addresses creates a 760 federated namespace, based on control over the indicated host and 761 port, whether or not an HTTP server is present. See Section 12.1 for 762 security considerations related to establishing authority. 764 When an "http" URI is used within a context that calls for access to 765 the indicated resource, a client MAY attempt access by resolving the 766 host to an IP address, establishing a TCP connection to that address 767 on the indicated port, and sending an HTTP request message (Section 2 768 of [Messaging]) containing the URI's identifying data to the server. 769 If the server responds to that request with a non-interim HTTP 770 response message, as described in Section 9, then that response is 771 considered an authoritative answer to the client's request. 773 Although HTTP is independent of the transport protocol, the "http" 774 scheme is specific to TCP-based services because the name delegation 775 process depends on TCP for establishing authority. An HTTP service 776 based on some other underlying connection protocol would presumably 777 be identified using a different URI scheme, just as the "https" 778 scheme (below) is used for resources that require an end-to-end 779 secured connection. Other protocols might also be used to provide 780 access to "http" identified resources -- it is only the authoritative 781 interface that is specific to TCP. 783 The URI generic syntax for authority also includes a deprecated 784 userinfo subcomponent ([RFC3986], Section 3.2.1) for including user 785 authentication information in the URI. Some implementations make use 786 of the userinfo component for internal configuration of 787 authentication information, such as within command invocation 788 options, configuration files, or bookmark lists, even though such 789 usage might expose a user identifier or password. A sender MUST NOT 790 generate the userinfo subcomponent (and its "@" delimiter) when an 791 "http" URI reference is generated within a message as a request 792 target or header field value. Before making use of an "http" URI 793 reference received from an untrusted source, a recipient SHOULD parse 794 for userinfo and treat its presence as an error; it is likely being 795 used to obscure the authority for the sake of phishing attacks. 797 2.5.2. https URI Scheme 799 The "https" URI scheme is hereby defined for the purpose of minting 800 identifiers according to their association with the hierarchical 801 namespace governed by a potential HTTP origin server listening to a 802 given TCP port for TLS-secured connections ([RFC5246]). 804 All of the requirements listed above for the "http" scheme are also 805 requirements for the "https" scheme, except that TCP port 443 is the 806 default if the port subcomponent is empty or not given, and the user 807 agent MUST ensure that its connection to the origin server is secured 808 through the use of strong encryption, end-to-end, prior to sending 809 the first HTTP request. 811 https-URI = "https:" "//" authority path-abempty [ "?" query ] 813 Note that the "https" URI scheme depends on both TLS and TCP for 814 establishing authority. Resources made available via the "https" 815 scheme have no shared identity with the "http" scheme even if their 816 resource identifiers indicate the same authority (the same host 817 listening to the same TCP port). They are distinct namespaces and 818 are considered to be distinct origin servers. However, an extension 819 to HTTP that is defined to apply to entire host domains, such as the 820 Cookie protocol [RFC6265], can allow information set by one service 821 to impact communication with other services within a matching group 822 of host domains. 824 The process for authoritative access to an "https" identified 825 resource is defined in [RFC2818]. 827 2.5.3. Fragment Identifiers on http(s) URI References 829 Fragment identifiers allow for indirect identification of a secondary 830 resource, independent of the URI scheme, as defined in Section 3.5 of 831 [RFC3986]. Some protocol elements that refer to a URI allow 832 inclusion of a fragment, while others do not. They are distinguished 833 by use of the ABNF rule for elements where fragment is allowed; 834 otherwise, a specific rule that excludes fragments is used (see 835 Section 5.1). 837 Note: the fragment identifier component is not part of the actual 838 scheme definition for a URI scheme (see Section 4.3 of [RFC3986]), 839 thus does not appear in the ABNF definitions for the "http" and 840 "https" URI schemes above. 842 2.5.4. http and https URI Normalization and Comparison 844 Since the "http" and "https" schemes conform to the URI generic 845 syntax, such URIs are normalized and compared according to the 846 algorithm defined in Section 6 of [RFC3986], using the defaults 847 described above for each scheme. 849 If the port is equal to the default port for a scheme, the normal 850 form is to omit the port subcomponent. When not being used in 851 absolute form as the request target of an OPTIONS request, an empty 852 path component is equivalent to an absolute path of "/", so the 853 normal form is to provide a path of "/" instead. The scheme and host 854 are case-insensitive and normally provided in lowercase; all other 855 components are compared in a case-sensitive manner. Characters other 856 than those in the "reserved" set are equivalent to their percent- 857 encoded octets: the normal form is to not encode them (see Sections 858 2.1 and 2.2 of [RFC3986]). 860 For example, the following three URIs are equivalent: 862 http://example.com:80/~smith/home.html 863 http://EXAMPLE.com/%7Esmith/home.html 864 http://EXAMPLE.com:/%7esmith/home.html 866 3. Conformance 868 3.1. Implementation Diversity 870 When considering the design of HTTP, it is easy to fall into a trap 871 of thinking that all user agents are general-purpose browsers and all 872 origin servers are large public websites. That is not the case in 873 practice. Common HTTP user agents include household appliances, 874 stereos, scales, firmware update scripts, command-line programs, 875 mobile apps, and communication devices in a multitude of shapes and 876 sizes. Likewise, common HTTP origin servers include home automation 877 units, configurable networking components, office machines, 878 autonomous robots, news feeds, traffic cameras, ad selectors, and 879 video-delivery platforms. 881 The term "user agent" does not imply that there is a human user 882 directly interacting with the software agent at the time of a 883 request. In many cases, a user agent is installed or configured to 884 run in the background and save its results for later inspection (or 885 save only a subset of those results that might be interesting or 886 erroneous). Spiders, for example, are typically given a start URI 887 and configured to follow certain behavior while crawling the Web as a 888 hypertext graph. 890 The implementation diversity of HTTP means that not all user agents 891 can make interactive suggestions to their user or provide adequate 892 warning for security or privacy concerns. In the few cases where 893 this specification requires reporting of errors to the user, it is 894 acceptable for such reporting to only be observable in an error 895 console or log file. Likewise, requirements that an automated action 896 be confirmed by the user before proceeding might be met via advance 897 configuration choices, run-time options, or simple avoidance of the 898 unsafe action; confirmation does not imply any specific user 899 interface or interruption of normal processing if the user has 900 already made that choice. 902 3.2. Role-based Requirements 904 This specification targets conformance criteria according to the role 905 of a participant in HTTP communication. Hence, HTTP requirements are 906 placed on senders, recipients, clients, servers, user agents, 907 intermediaries, origin servers, proxies, gateways, or caches, 908 depending on what behavior is being constrained by the requirement. 909 Additional (social) requirements are placed on implementations, 910 resource owners, and protocol element registrations when they apply 911 beyond the scope of a single communication. 913 The verb "generate" is used instead of "send" where a requirement 914 differentiates between creating a protocol element and merely 915 forwarding a received element downstream. 917 An implementation is considered conformant if it complies with all of 918 the requirements associated with the roles it partakes in HTTP. 920 Conformance includes both the syntax and semantics of protocol 921 elements. A sender MUST NOT generate protocol elements that convey a 922 meaning that is known by that sender to be false. A sender MUST NOT 923 generate protocol elements that do not match the grammar defined by 924 the corresponding ABNF rules. Within a given message, a sender MUST 925 NOT generate protocol elements or syntax alternatives that are only 926 allowed to be generated by participants in other roles (i.e., a role 927 that the sender does not have for that message). 929 3.3. Parsing Elements 931 When a received protocol element is parsed, the recipient MUST be 932 able to parse any value of reasonable length that is applicable to 933 the recipient's role and that matches the grammar defined by the 934 corresponding ABNF rules. Note, however, that some received protocol 935 elements might not be parsed. For example, an intermediary 936 forwarding a message might parse a header-field into generic field- 937 name and field-value components, but then forward the header field 938 without further parsing inside the field-value. 940 HTTP does not have specific length limitations for many of its 941 protocol elements because the lengths that might be appropriate will 942 vary widely, depending on the deployment context and purpose of the 943 implementation. Hence, interoperability between senders and 944 recipients depends on shared expectations regarding what is a 945 reasonable length for each protocol element. Furthermore, what is 946 commonly understood to be a reasonable length for some protocol 947 elements has changed over the course of the past two decades of HTTP 948 use and is expected to continue changing in the future. 950 At a minimum, a recipient MUST be able to parse and process protocol 951 element lengths that are at least as long as the values that it 952 generates for those same protocol elements in other messages. For 953 example, an origin server that publishes very long URI references to 954 its own resources needs to be able to parse and process those same 955 references when received as a request target. 957 3.4. Error Handling 959 A recipient MUST interpret a received protocol element according to 960 the semantics defined for it by this specification, including 961 extensions to this specification, unless the recipient has determined 962 (through experience or configuration) that the sender incorrectly 963 implements what is implied by those semantics. For example, an 964 origin server might disregard the contents of a received Accept- 965 Encoding header field if inspection of the User-Agent header field 966 indicates a specific implementation version that is known to fail on 967 receipt of certain content codings. 969 Unless noted otherwise, a recipient MAY attempt to recover a usable 970 protocol element from an invalid construct. HTTP does not define 971 specific error handling mechanisms except when they have a direct 972 impact on security, since different applications of the protocol 973 require different error handling strategies. For example, a Web 974 browser might wish to transparently recover from a response where the 975 Location header field doesn't parse according to the ABNF, whereas a 976 systems control client might consider any form of error recovery to 977 be dangerous. 979 3.5. Protocol Versioning 981 The HTTP version number consists of two decimal digits separated by a 982 "." (period or decimal point). The first digit ("major version") 983 indicates the HTTP messaging syntax, whereas the second digit ("minor 984 version") indicates the highest minor version within that major 985 version to which the sender is conformant and able to understand for 986 future communication. 988 The protocol version as a whole indicates the sender's conformance 989 with the set of requirements laid out in that version's corresponding 990 specification of HTTP. For example, the version "HTTP/1.1" is 991 defined by the combined specifications of this document, "HTTP 992 Caching" [Caching], and "HTTP/1.1 Messaging" [Messaging]. 994 The minor version advertises the sender's communication capabilities 995 even when the sender is only using a backwards-compatible subset of 996 the protocol, thereby letting the recipient know that more advanced 997 features can be used in response (by servers) or in future requests 998 (by clients). 1000 A client SHOULD send a request version equal to the highest version 1001 to which the client is conformant and whose major version is no 1002 higher than the highest version supported by the server, if this is 1003 known. A client MUST NOT send a version to which it is not 1004 conformant. 1006 A client MAY send a lower request version if it is known that the 1007 server incorrectly implements the HTTP specification, but only after 1008 the client has attempted at least one normal request and determined 1009 from the response status code or header fields (e.g., Server) that 1010 the server improperly handles higher request versions. 1012 A server SHOULD send a response version equal to the highest version 1013 to which the server is conformant that has a major version less than 1014 or equal to the one received in the request. A server MUST NOT send 1015 a version to which it is not conformant. A server can send a 505 1016 (HTTP Version Not Supported) response if it wishes, for any reason, 1017 to refuse service of the client's major protocol version. 1019 HTTP's major version number is incremented when an incompatible 1020 message syntax is introduced. The minor number is incremented when 1021 changes made to the protocol have the effect of adding to the message 1022 semantics or implying additional capabilities of the sender. 1024 When an HTTP message is received with a major version number that the 1025 recipient implements, but a higher minor version number than what the 1026 recipient implements, the recipient SHOULD process the message as if 1027 it were in the highest minor version within that major version to 1028 which the recipient is conformant. A recipient can assume that a 1029 message with a higher minor version, when sent to a recipient that 1030 has not yet indicated support for that higher version, is 1031 sufficiently backwards-compatible to be safely processed by any 1032 implementation of the same major version. 1034 When a major version of HTTP does not define any minor versions, the 1035 minor version "0" is implied and is used when referring to that 1036 protocol within a protocol element that requires sending a minor 1037 version. 1039 4. Message Abstraction 1041 Each major version of HTTP defines its own syntax for the inclusion 1042 of information in messages. Nevertheless, a common abstraction is 1043 that a message includes some form of envelope/framing, a potential 1044 set of named data fields, and a potential body. This section defines 1045 the abstraction for message fields as field-name and field-value 1046 pairs. 1048 4.1. Header Field Names 1050 Header fields are key:value pairs that can be used to communicate 1051 data about the message, its payload, the target resource, or the 1052 connection (i.e., control data). 1054 The requirements for header field names are defined in [BCP90]. 1056 The field-name token labels the corresponding field-value as having 1057 the semantics defined by that header field. For example, the Date 1058 header field is defined in Section 10.1.1.2 as containing the 1059 origination timestamp for the message in which it appears. 1061 field-name = token 1063 The interpretation of a header field does not change between minor 1064 versions of the same major HTTP version, though the default behavior 1065 of a recipient in the absence of such a field can change. Unless 1066 specified otherwise, header fields are defined for all versions of 1067 HTTP. In particular, the Host and Connection header fields ought to 1068 be implemented by all HTTP/1.x implementations whether or not they 1069 advertise conformance with HTTP/1.1. 1071 New header fields can be introduced without changing the protocol 1072 version if their defined semantics allow them to be safely ignored by 1073 recipients that do not recognize them. Header field extensibility is 1074 discussed in Section 4.1.2. 1076 The following field names are defined by this document: 1078 +---------------------------+------------+-------------------+ 1079 | Header Field Name | Status | Reference | 1080 +---------------------------+------------+-------------------+ 1081 | Accept | standard | Section 8.4.2 | 1082 | Accept-Charset | deprecated | Section 8.4.3 | 1083 | Accept-Encoding | standard | Section 8.4.4 | 1084 | Accept-Language | standard | Section 8.4.5 | 1085 | Accept-Ranges | standard | Section 10.4.1 | 1086 | Allow | standard | Section 10.4.2 | 1087 | Authentication-Info | standard | Section 10.3.3 | 1088 | Authorization | standard | Section 8.5.3 | 1089 | Content-Encoding | standard | Section 6.2.2 | 1090 | Content-Language | standard | Section 6.2.3 | 1091 | Content-Length | standard | Section 6.2.4 | 1092 | Content-Location | standard | Section 6.2.5 | 1093 | Content-Range | standard | Section 6.3.3 | 1094 | Content-Type | standard | Section 6.2.1 | 1095 | Date | standard | Section 10.1.1.2 | 1096 | ETag | standard | Section 10.2.3 | 1097 | Expect | standard | Section 8.1.1 | 1098 | From | standard | Section 8.6.1 | 1099 | Host | standard | Section 5.4 | 1100 | If-Match | standard | Section 8.2.3 | 1101 | If-Modified-Since | standard | Section 8.2.5 | 1102 | If-None-Match | standard | Section 8.2.4 | 1103 | If-Range | standard | Section 8.2.7 | 1104 | If-Unmodified-Since | standard | Section 8.2.6 | 1105 | Last-Modified | standard | Section 10.2.2 | 1106 | Location | standard | Section 10.1.2 | 1107 | Max-Forwards | standard | Section 8.1.2 | 1108 | Proxy-Authenticate | standard | Section 10.3.2 | 1109 | Proxy-Authentication-Info | standard | Section 10.3.4 | 1110 | Proxy-Authorization | standard | Section 8.5.4 | 1111 | Range | standard | Section 8.3 | 1112 | Referer | standard | Section 8.6.2 | 1113 | Retry-After | standard | Section 10.1.3 | 1114 | Server | standard | Section 10.4.3 | 1115 | Trailer | standard | Section 4.4 | 1116 | User-Agent | standard | Section 8.6.3 | 1117 | Vary | standard | Section 10.1.4 | 1118 | Via | standard | Section 5.5.1 | 1119 | WWW-Authenticate | standard | Section 10.3.1 | 1120 +---------------------------+------------+-------------------+ 1122 4.1.1. Header Field Name Registry 1124 The "Hypertext Transfer Protocol (HTTP) Header Field Registry" 1125 defines the namespace for HTTP header field names. 1127 Any party can request registration of a HTTP header field. See 1128 Section 4.1.3 for considerations to take into account when creating a 1129 new HTTP header field. 1131 The "HTTP Header Field Name" registry is located at 1132 "https://www.iana.org/assignments/http-headers/". Registration 1133 requests can be made by following the instructions located there or 1134 by sending an email to the "ietf-http-wg@ietf.org" mailing list. 1136 Header field names are registered on the advice of a Designated 1137 Expert (appointed by the IESG or their delegate). Header fields with 1138 the status 'permanent' are Specification Required (using terminology 1139 from [RFC8126]). 1141 Registration requests consist of at least the following information: 1143 o Header field name: The requested field name. It MUST conform to 1144 the field-name syntax defined in Section 4.1, and SHOULD be 1145 restricted to just letters, digits, hyphen ('-') and underscore 1146 ('_') characters, with the first character being a letter. 1148 o Status: "permanent" or "provisional" 1150 o Specification document(s): Reference to the document that 1151 specifies the header field, preferably including a URI that can be 1152 used to retrieve a copy of the document. An indication of the 1153 relevant section(s) can also be included, but is not required. 1155 The Expert(s) can define additional fields to be collected in the 1156 registry, in consultation with the community. 1158 Standards-defined names have a status of "permanent". Other names 1159 can also be registered as permanent, if the Expert(s) find that they 1160 are in use, in consultation with the community. Other names should 1161 be registered as "provisional". 1163 Provisional entries can be removed by the Expert(s) if -- in 1164 consultation with the community -- the Expert(s) find that they are 1165 not in use. The Experts can change a provisional entry's status to 1166 permanent at any time. 1168 Note that names can be registered by third parties (including the 1169 Expert(s)), if the Expert(s) determines that an unregistered name is 1170 widely deployed and not likely to be registered in a timely manner 1171 otherwise. 1173 4.1.2. Header Field Extensibility 1175 Header fields are fully extensible: there is no limit on the 1176 introduction of new field names, each presumably defining new 1177 semantics, nor on the number of header fields used in a given 1178 message. Existing fields are defined in each part of this 1179 specification and in many other specifications outside this document 1180 set. 1182 New header fields can be defined such that, when they are understood 1183 by a recipient, they might override or enhance the interpretation of 1184 previously defined header fields, define preconditions on request 1185 evaluation, or refine the meaning of responses. 1187 A proxy MUST forward unrecognized header fields unless the field-name 1188 is listed in the Connection header field (Section 9.1 of [Messaging]) 1189 or the proxy is specifically configured to block, or otherwise 1190 transform, such fields. Other recipients SHOULD ignore unrecognized 1191 header fields. These requirements allow HTTP's functionality to be 1192 enhanced without requiring prior update of deployed intermediaries. 1194 All defined header fields ought to be registered with IANA in the 1195 "HTTP Header Field Name" registry. 1197 4.1.3. Considerations for New Header Fields 1199 Authors of specifications defining new fields are advised to keep the 1200 name as short as practical and not to prefix the name with "X-" 1201 unless the header field will never be used on the Internet. (The 1202 "X-" prefix idiom has been extensively misused in practice; it was 1203 intended to only be used as a mechanism for avoiding name collisions 1204 inside proprietary software or intranet processing, since the prefix 1205 would ensure that private names never collide with a newly registered 1206 Internet name; see [BCP178] for further information). 1208 Authors of specifications defining new header fields are advised to 1209 consider documenting: 1211 o Whether the field is a single value or whether it can be a list 1212 (delimited by commas; see Section 5 of [Messaging]). 1214 If it does not use the list syntax, document how to treat messages 1215 where the field occurs multiple times (a sensible default would be 1216 to ignore the field, but this might not always be the right 1217 choice). 1219 Note that intermediaries and software libraries might combine 1220 multiple header field instances into a single one, despite the 1221 field's definition not allowing the list syntax. A robust format 1222 enables recipients to discover these situations (good example: 1223 "Content-Type", as the comma can only appear inside quoted 1224 strings; bad example: "Location", as a comma can occur inside a 1225 URI). 1227 o Under what conditions the header field can be used; e.g., only in 1228 responses or requests, in all messages, only on responses to a 1229 particular request method, etc. 1231 o Whether the field should be stored by origin servers that 1232 understand it upon a PUT request. 1234 o Whether the field semantics are further refined by the context, 1235 such as by existing request methods or status codes. 1237 o Whether it is appropriate to list the field-name in the Connection 1238 header field (i.e., if the header field is to be hop-by-hop; see 1239 Section 9.1 of [Messaging]). 1241 o Under what conditions intermediaries are allowed to insert, 1242 delete, or modify the field's value. 1244 o Whether it is appropriate to list the field-name in a Vary 1245 response header field (e.g., when the request header field is used 1246 by an origin server's content selection algorithm; see 1247 Section 10.1.4). 1249 o Whether the header field is useful or allowable in trailers (see 1250 Section 7.1 of [Messaging]). 1252 o Whether the header field ought to be preserved across redirects. 1254 o Whether it introduces any additional security considerations, such 1255 as disclosure of privacy-related data. 1257 4.2. Header Field Values 1259 This specification does not use ABNF rules to define each "Field- 1260 Name: Field Value" pair, as was done in earlier editions. Instead, 1261 this specification uses ABNF rules that are named according to each 1262 registered field name, wherein the rule defines the valid grammar for 1263 that field's corresponding field values (i.e., after the field-value 1264 has been extracted by a generic field parser). 1266 field-value = *( field-content / obs-fold ) 1267 field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] 1268 field-vchar = VCHAR / obs-text 1270 Historically, HTTP header field values could be extended over 1271 multiple lines by preceding each extra line with at least one space 1272 or horizontal tab (obs-fold). [[CREF1: This document assumes that 1273 any such obs-fold has been replaced with one or more SP octets prior 1274 to interpreting the field value, as described in Section 5.2 of 1275 [Messaging].]] 1277 Historically, HTTP has allowed field content with text in the 1278 ISO-8859-1 charset [ISO-8859-1], supporting other charsets only 1279 through use of [RFC2047] encoding. In practice, most HTTP header 1280 field values use only a subset of the US-ASCII charset [USASCII]. 1281 Newly defined header fields SHOULD limit their field values to 1282 US-ASCII octets. A recipient SHOULD treat other octets in field 1283 content (obs-text) as opaque data. 1285 4.2.1. Header Field Order 1287 The order in which header fields with differing field names are 1288 received is not significant. However, it is good practice to send 1289 header fields that contain control data first, such as Host on 1290 requests and Date on responses, so that implementations can decide 1291 when not to handle a message as early as possible. A server MUST NOT 1292 apply a request to the target resource until the entire request 1293 header section is received, since later header fields might include 1294 conditionals, authentication credentials, or deliberately misleading 1295 duplicate header fields that would impact request processing. 1297 Aside from the well-known exception noted below, a sender MUST NOT 1298 generate multiple header fields with the same field name in a 1299 message, or append a header field when a field of the same name 1300 already exists in the message, unless that field's definition allows 1301 multiple field values to be recombined as a comma-separated list 1302 [i.e., at least one alternative of the field's definition allows a 1303 comma-separated list, such as an ABNF rule of #(values)]. 1305 A recipient MAY combine multiple header fields with the same field 1306 name into one "field-name: field-value" pair, without changing the 1307 semantics of the message, by appending each subsequent field value to 1308 the combined field value in order, separated by a comma. The order 1309 in which header fields with the same field name are received is 1310 therefore significant to the interpretation of the combined field 1311 value; a proxy MUST NOT change the order of these field values when 1312 forwarding a message. 1314 Note: In practice, the "Set-Cookie" header field ([RFC6265]) often 1315 appears multiple times in a response message and does not use the 1316 list syntax, violating the above requirements on multiple header 1317 fields with the same name. Since it cannot be combined into a 1318 single field-value, recipients ought to handle "Set-Cookie" as a 1319 special case while processing header fields. (See Appendix A.2.3 1320 of [Kri2001] for details.) 1322 4.2.2. Header Field Limits 1324 HTTP does not place a predefined limit on the length of each header 1325 field or on the length of the header section as a whole, as described 1326 in Section 3. Various ad hoc limitations on individual header field 1327 length are found in practice, often depending on the specific field 1328 semantics. 1330 A server that receives a request header field, or set of fields, 1331 larger than it wishes to process MUST respond with an appropriate 4xx 1332 (Client Error) status code. Ignoring such header fields would 1333 increase the server's vulnerability to request smuggling attacks 1334 (Section 11.2 of [Messaging]). 1336 A client MAY discard or truncate received header fields that are 1337 larger than the client wishes to process if the field semantics are 1338 such that the dropped value(s) can be safely ignored without changing 1339 the message framing or response semantics. 1341 4.2.3. Header Field Value Components 1343 Most HTTP header field values are defined using common syntax 1344 components (token, quoted-string, and comment) separated by 1345 whitespace or specific delimiting characters. Delimiters are chosen 1346 from the set of US-ASCII visual characters not allowed in a token 1347 (DQUOTE and "(),/:;<=>?@[\]{}"). 1349 token = 1*tchar 1351 tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" 1352 / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" 1353 / DIGIT / ALPHA 1354 ; any VCHAR, except delimiters 1356 A string of text is parsed as a single value if it is quoted using 1357 double-quote marks. 1359 quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE 1360 qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text 1361 obs-text = %x80-FF 1363 Comments can be included in some HTTP header fields by surrounding 1364 the comment text with parentheses. Comments are only allowed in 1365 fields containing "comment" as part of their field value definition. 1367 comment = "(" *( ctext / quoted-pair / comment ) ")" 1368 ctext = HTAB / SP / %x21-27 / %x2A-5B / %x5D-7E / obs-text 1370 The backslash octet ("\") can be used as a single-octet quoting 1371 mechanism within quoted-string and comment constructs. Recipients 1372 that process the value of a quoted-string MUST handle a quoted-pair 1373 as if it were replaced by the octet following the backslash. 1375 quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) 1377 A sender SHOULD NOT generate a quoted-pair in a quoted-string except 1378 where necessary to quote DQUOTE and backslash octets occurring within 1379 that string. A sender SHOULD NOT generate a quoted-pair in a comment 1380 except where necessary to quote parentheses ["(" and ")"] and 1381 backslash octets occurring within that comment. 1383 4.2.4. Designing New Header Field Values 1385 New header field values typically have their syntax defined using 1386 ABNF ([RFC5234]), using the extension defined in Section 11 as 1387 necessary, and are usually constrained to the range of US-ASCII 1388 characters. Header fields needing a greater range of characters can 1389 use an encoding such as the one defined in [RFC8187]. 1391 Leading and trailing whitespace in raw field values is removed upon 1392 field parsing (Section 5.1 of [Messaging]). Field definitions where 1393 leading or trailing whitespace in values is significant will have to 1394 use a container syntax such as quoted-string (Section 4.2.3). 1396 Because commas (",") are used as a generic delimiter between field- 1397 values, they need to be treated with care if they are allowed in the 1398 field-value. Typically, components that might contain a comma are 1399 protected with double-quotes using the quoted-string ABNF production. 1401 For example, a textual date and a URI (either of which might contain 1402 a comma) could be safely carried in field-values like these: 1404 Example-URI-Field: "http://example.com/a.html,foo", 1405 "http://without-a-comma.example.com/" 1406 Example-Date-Field: "Sat, 04 May 1996", "Wed, 14 Sep 2005" 1408 Note that double-quote delimiters almost always are used with the 1409 quoted-string production; using a different syntax inside double- 1410 quotes will likely cause unnecessary confusion. 1412 Many header fields use a format including (case-insensitively) named 1413 parameters (for instance, Content-Type, defined in Section 6.2.1). 1414 Allowing both unquoted (token) and quoted (quoted-string) syntax for 1415 the parameter value enables recipients to use existing parser 1416 components. When allowing both forms, the meaning of a parameter 1417 value ought to be independent of the syntax used for it (for an 1418 example, see the notes on parameter handling for media types in 1419 Section 6.1.1). 1421 4.3. Whitespace 1423 This specification uses three rules to denote the use of linear 1424 whitespace: OWS (optional whitespace), RWS (required whitespace), and 1425 BWS ("bad" whitespace). 1427 The OWS rule is used where zero or more linear whitespace octets 1428 might appear. For protocol elements where optional whitespace is 1429 preferred to improve readability, a sender SHOULD generate the 1430 optional whitespace as a single SP; otherwise, a sender SHOULD NOT 1431 generate optional whitespace except as needed to white out invalid or 1432 unwanted protocol elements during in-place message filtering. 1434 The RWS rule is used when at least one linear whitespace octet is 1435 required to separate field tokens. A sender SHOULD generate RWS as a 1436 single SP. 1438 The BWS rule is used where the grammar allows optional whitespace 1439 only for historical reasons. A sender MUST NOT generate BWS in 1440 messages. A recipient MUST parse for such bad whitespace and remove 1441 it before interpreting the protocol element. 1443 OWS = *( SP / HTAB ) 1444 ; optional whitespace 1445 RWS = 1*( SP / HTAB ) 1446 ; required whitespace 1447 BWS = OWS 1448 ; "bad" whitespace 1450 4.4. Trailer 1452 [[CREF2: The "Trailer" header field in a message indicates fields 1453 that the sender anticipates sending after the message header block 1454 (i.e., during or after the payload is sent). This is typically used 1455 to supply metadata that might be dynamically generated while the data 1456 is sent, such as a message integrity check, digital signature, or 1457 post-processing status. ]] 1459 Trailer = 1#field-name 1461 [[CREF3: How, where, and when trailer fields might be sent depends on 1462 both the protocol in use (HTTP version and/or transfer coding) and 1463 the semantics of each named header field. Many header fields cannot 1464 be processed outside the header section because their evaluation is 1465 necessary for message routing, authentication, or configuration prior 1466 to receiving the representation data. ]] 1468 5. Message Routing 1470 HTTP request message routing is determined by each client based on 1471 the target resource, the client's proxy configuration, and 1472 establishment or reuse of an inbound connection. The corresponding 1473 response routing follows the same connection chain back to the 1474 client. 1476 5.1. Identifying a Target Resource 1478 HTTP is used in a wide variety of applications, ranging from general- 1479 purpose computers to home appliances. In some cases, communication 1480 options are hard-coded in a client's configuration. However, most 1481 HTTP clients rely on the same resource identification mechanism and 1482 configuration techniques as general-purpose Web browsers. 1484 HTTP communication is initiated by a user agent for some purpose. 1485 The purpose is a combination of request semantics and a target 1486 resource upon which to apply those semantics. A URI reference 1487 (Section 2.4) is typically used as an identifier for the "target 1488 resource", which a user agent would resolve to its absolute form in 1489 order to obtain the "target URI". The target URI excludes the 1490 reference's fragment component, if any, since fragment identifiers 1491 are reserved for client-side processing ([RFC3986], Section 3.5). 1493 5.2. Routing Inbound 1495 Once the target URI is determined, a client needs to decide whether a 1496 network request is necessary to accomplish the desired semantics and, 1497 if so, where that request is to be directed. 1499 If the client has a cache [Caching] and the request can be satisfied 1500 by it, then the request is usually directed there first. 1502 If the request is not satisfied by a cache, then a typical client 1503 will check its configuration to determine whether a proxy is to be 1504 used to satisfy the request. Proxy configuration is implementation- 1505 dependent, but is often based on URI prefix matching, selective 1506 authority matching, or both, and the proxy itself is usually 1507 identified by an "http" or "https" URI. If a proxy is applicable, 1508 the client connects inbound by establishing (or reusing) a connection 1509 to that proxy. 1511 If no proxy is applicable, a typical client will invoke a handler 1512 routine, usually specific to the target URI's scheme, to connect 1513 directly to an authority for the target resource. How that is 1514 accomplished is dependent on the target URI scheme and defined by its 1515 associated specification, similar to how this specification defines 1516 origin server access for resolution of the "http" (Section 2.5.1) and 1517 "https" (Section 2.5.2) schemes. 1519 HTTP requirements regarding connection management are defined in 1520 Section 9 of [Messaging]. 1522 5.3. Effective Request URI 1524 Once an inbound connection is obtained, the client sends an HTTP 1525 request message (Section 2 of [Messaging]). 1527 Depending on the nature of the request, the client's target URI might 1528 be split into components and transmitted (or implied) within various 1529 parts of a request message. These parts are recombined by each 1530 recipient, in accordance with their local configuration and incoming 1531 connection context, to form an "effective request URI" for 1532 identifying the intended target resource with respect to that server. 1533 Section 3.3 of [Messaging] defines how a server determines the 1534 effective request URI for an HTTP/1.1 request. 1536 For a user agent, the effective request URI is the target URI. 1538 Once the effective request URI has been constructed, an origin server 1539 needs to decide whether or not to provide service for that URI via 1540 the connection in which the request was received. For example, the 1541 request might have been misdirected, deliberately or accidentally, 1542 such that the information within a received request-target or Host 1543 header field differs from the host or port upon which the connection 1544 has been made. If the connection is from a trusted gateway, that 1545 inconsistency might be expected; otherwise, it might indicate an 1546 attempt to bypass security filters, trick the server into delivering 1547 non-public content, or poison a cache. See Section 12 for security 1548 considerations regarding message routing. 1550 5.4. Host 1552 The "Host" header field in a request provides the host and port 1553 information from the target URI, enabling the origin server to 1554 distinguish among resources while servicing requests for multiple 1555 host names on a single IP address. 1557 Host = uri-host [ ":" port ] ; Section 2.4 1559 A client MUST send a Host header field in all HTTP/1.1 request 1560 messages. If the target URI includes an authority component, then a 1561 client MUST send a field-value for Host that is identical to that 1562 authority component, excluding any userinfo subcomponent and its "@" 1563 delimiter (Section 2.5.1). If the authority component is missing or 1564 undefined for the target URI, then a client MUST send a Host header 1565 field with an empty field-value. 1567 Since the Host field-value is critical information for handling a 1568 request, a user agent SHOULD generate Host as the first header field 1569 following the request-line. 1571 For example, a GET request to the origin server for 1572 would begin with: 1574 GET /pub/WWW/ HTTP/1.1 1575 Host: www.example.org 1577 A client MUST send a Host header field in an HTTP/1.1 request even if 1578 the request-target is in the absolute-form, since this allows the 1579 Host information to be forwarded through ancient HTTP/1.0 proxies 1580 that might not have implemented Host. 1582 When a proxy receives a request with an absolute-form of request- 1583 target, the proxy MUST ignore the received Host header field (if any) 1584 and instead replace it with the host information of the request- 1585 target. A proxy that forwards such a request MUST generate a new 1586 Host field-value based on the received request-target rather than 1587 forward the received Host field-value. 1589 Since the Host header field acts as an application-level routing 1590 mechanism, it is a frequent target for malware seeking to poison a 1591 shared cache or redirect a request to an unintended server. An 1592 interception proxy is particularly vulnerable if it relies on the 1593 Host field-value for redirecting requests to internal servers, or for 1594 use as a cache key in a shared cache, without first verifying that 1595 the intercepted connection is targeting a valid IP address for that 1596 host. 1598 A server MUST respond with a 400 (Bad Request) status code to any 1599 HTTP/1.1 request message that lacks a Host header field and to any 1600 request message that contains more than one Host header field or a 1601 Host header field with an invalid field-value. 1603 5.5. Message Forwarding 1605 As described in Section 2.2, intermediaries can serve a variety of 1606 roles in the processing of HTTP requests and responses. Some 1607 intermediaries are used to improve performance or availability. 1608 Others are used for access control or to filter content. Since an 1609 HTTP stream has characteristics similar to a pipe-and-filter 1610 architecture, there are no inherent limits to the extent an 1611 intermediary can enhance (or interfere) with either direction of the 1612 stream. 1614 An intermediary not acting as a tunnel MUST implement the Connection 1615 header field, as specified in Section 9.1 of [Messaging], and exclude 1616 fields from being forwarded that are only intended for the incoming 1617 connection. 1619 An intermediary MUST NOT forward a message to itself unless it is 1620 protected from an infinite request loop. In general, an intermediary 1621 ought to recognize its own server names, including any aliases, local 1622 variations, or literal IP addresses, and respond to such requests 1623 directly. 1625 An HTTP message can be parsed as a stream for incremental processing 1626 or forwarding downstream. However, recipients cannot rely on 1627 incremental delivery of partial messages, since some implementations 1628 will buffer or delay message forwarding for the sake of network 1629 efficiency, security checks, or payload transformations. 1631 5.5.1. Via 1633 The "Via" header field indicates the presence of intermediate 1634 protocols and recipients between the user agent and the server (on 1635 requests) or between the origin server and the client (on responses), 1636 similar to the "Received" header field in email (Section 3.6.7 of 1637 [RFC5322]). Via can be used for tracking message forwards, avoiding 1638 request loops, and identifying the protocol capabilities of senders 1639 along the request/response chain. 1641 Via = 1#( received-protocol RWS received-by [ RWS comment ] ) 1643 received-protocol = [ protocol-name "/" ] protocol-version 1644 ; see [Messaging], Section 9.8 1645 received-by = ( uri-host [ ":" port ] ) / pseudonym 1646 pseudonym = token 1648 Multiple Via field values represent each proxy or gateway that has 1649 forwarded the message. Each intermediary appends its own information 1650 about how the message was received, such that the end result is 1651 ordered according to the sequence of forwarding recipients. 1653 A proxy MUST send an appropriate Via header field, as described 1654 below, in each message that it forwards. An HTTP-to-HTTP gateway 1655 MUST send an appropriate Via header field in each inbound request 1656 message and MAY send a Via header field in forwarded response 1657 messages. 1659 For each intermediary, the received-protocol indicates the protocol 1660 and protocol version used by the upstream sender of the message. 1661 Hence, the Via field value records the advertised protocol 1662 capabilities of the request/response chain such that they remain 1663 visible to downstream recipients; this can be useful for determining 1664 what backwards-incompatible features might be safe to use in 1665 response, or within a later request, as described in Section 3.5. 1666 For brevity, the protocol-name is omitted when the received protocol 1667 is HTTP. 1669 The received-by portion of the field value is normally the host and 1670 optional port number of a recipient server or client that 1671 subsequently forwarded the message. However, if the real host is 1672 considered to be sensitive information, a sender MAY replace it with 1673 a pseudonym. If a port is not provided, a recipient MAY interpret 1674 that as meaning it was received on the default TCP port, if any, for 1675 the received-protocol. 1677 A sender MAY generate comments in the Via header field to identify 1678 the software of each recipient, analogous to the User-Agent and 1679 Server header fields. However, all comments in the Via field are 1680 optional, and a recipient MAY remove them prior to forwarding the 1681 message. 1683 For example, a request message could be sent from an HTTP/1.0 user 1684 agent to an internal proxy code-named "fred", which uses HTTP/1.1 to 1685 forward the request to a public proxy at p.example.net, which 1686 completes the request by forwarding it to the origin server at 1687 www.example.com. The request received by www.example.com would then 1688 have the following Via header field: 1690 Via: 1.0 fred, 1.1 p.example.net 1692 An intermediary used as a portal through a network firewall SHOULD 1693 NOT forward the names and ports of hosts within the firewall region 1694 unless it is explicitly enabled to do so. If not enabled, such an 1695 intermediary SHOULD replace each received-by host of any host behind 1696 the firewall by an appropriate pseudonym for that host. 1698 An intermediary MAY combine an ordered subsequence of Via header 1699 field entries into a single such entry if the entries have identical 1700 received-protocol values. For example, 1702 Via: 1.0 ricky, 1.1 ethel, 1.1 fred, 1.0 lucy 1704 could be collapsed to 1706 Via: 1.0 ricky, 1.1 mertz, 1.0 lucy 1708 A sender SHOULD NOT combine multiple entries unless they are all 1709 under the same organizational control and the hosts have already been 1710 replaced by pseudonyms. A sender MUST NOT combine entries that have 1711 different received-protocol values. 1713 5.5.2. Transformations 1715 Some intermediaries include features for transforming messages and 1716 their payloads. A proxy might, for example, convert between image 1717 formats in order to save cache space or to reduce the amount of 1718 traffic on a slow link. However, operational problems might occur 1719 when these transformations are applied to payloads intended for 1720 critical applications, such as medical imaging or scientific data 1721 analysis, particularly when integrity checks or digital signatures 1722 are used to ensure that the payload received is identical to the 1723 original. 1725 An HTTP-to-HTTP proxy is called a "transforming proxy" if it is 1726 designed or configured to modify messages in a semantically 1727 meaningful way (i.e., modifications, beyond those required by normal 1728 HTTP processing, that change the message in a way that would be 1729 significant to the original sender or potentially significant to 1730 downstream recipients). For example, a transforming proxy might be 1731 acting as a shared annotation server (modifying responses to include 1732 references to a local annotation database), a malware filter, a 1733 format transcoder, or a privacy filter. Such transformations are 1734 presumed to be desired by whichever client (or client organization) 1735 selected the proxy. 1737 If a proxy receives a request-target with a host name that is not a 1738 fully qualified domain name, it MAY add its own domain to the host 1739 name it received when forwarding the request. A proxy MUST NOT 1740 change the host name if the request-target contains a fully qualified 1741 domain name. 1743 A proxy MUST NOT modify the "absolute-path" and "query" parts of the 1744 received request-target when forwarding it to the next inbound 1745 server, except as noted above to replace an empty path with "/" or 1746 "*". 1748 A proxy MAY modify the message body through application or removal of 1749 a transfer coding (Section 7 of [Messaging]). 1751 A proxy MUST NOT transform the payload (Section 6.3) of a message 1752 that contains a no-transform cache-control response directive 1753 (Section 5.2 of [Caching]). 1755 A proxy MAY transform the payload of a message that does not contain 1756 a no-transform cache-control directive. A proxy that transforms the 1757 payload of a 200 (OK) response can inform downstream recipients that 1758 a transformation has been applied by changing the response status 1759 code to 203 (Non-Authoritative Information) (Section 9.3.4). 1761 A proxy SHOULD NOT modify header fields that provide information 1762 about the endpoints of the communication chain, the resource state, 1763 or the selected representation (other than the payload) unless the 1764 field's definition specifically allows such modification or the 1765 modification is deemed necessary for privacy or security. 1767 6. Representations 1769 Considering that a resource could be anything, and that the uniform 1770 interface provided by HTTP is similar to a window through which one 1771 can observe and act upon such a thing only through the communication 1772 of messages to some independent actor on the other side, an 1773 abstraction is needed to represent ("take the place of") the current 1774 or desired state of that thing in our communications. That 1775 abstraction is called a representation [REST]. 1777 For the purposes of HTTP, a "representation" is information that is 1778 intended to reflect a past, current, or desired state of a given 1779 resource, in a format that can be readily communicated via the 1780 protocol, and that consists of a set of representation metadata and a 1781 potentially unbounded stream of representation data. 1783 An origin server might be provided with, or be capable of generating, 1784 multiple representations that are each intended to reflect the 1785 current state of a target resource. In such cases, some algorithm is 1786 used by the origin server to select one of those representations as 1787 most applicable to a given request, usually based on content 1788 negotiation. This "selected representation" is used to provide the 1789 data and metadata for evaluating conditional requests Section 8.2 and 1790 constructing the payload for 200 (OK) and 304 (Not Modified) 1791 responses to GET (Section 7.3.1). 1793 6.1. Representation Data 1795 The representation data associated with an HTTP message is either 1796 provided as the payload body of the message or referred to by the 1797 message semantics and the effective request URI. The representation 1798 data is in a format and encoding defined by the representation 1799 metadata header fields. 1801 The data type of the representation data is determined via the header 1802 fields Content-Type and Content-Encoding. These define a two-layer, 1803 ordered encoding model: 1805 representation-data := Content-Encoding( Content-Type( bits ) ) 1807 6.1.1. Media Type 1809 HTTP uses media types [RFC2046] in the Content-Type (Section 6.2.1) 1810 and Accept (Section 8.4.2) header fields in order to provide open and 1811 extensible data typing and type negotiation. Media types define both 1812 a data format and various processing models: how to process that data 1813 in accordance with each context in which it is received. 1815 media-type = type "/" subtype *( OWS ";" OWS parameter ) 1816 type = token 1817 subtype = token 1819 The type/subtype MAY be followed by parameters in the form of 1820 name=value pairs. 1822 parameter = token "=" ( token / quoted-string ) 1824 The type, subtype, and parameter name tokens are case-insensitive. 1825 Parameter values might or might not be case-sensitive, depending on 1826 the semantics of the parameter name. The presence or absence of a 1827 parameter might be significant to the processing of a media-type, 1828 depending on its definition within the media type registry. 1830 A parameter value that matches the token production can be 1831 transmitted either as a token or within a quoted-string. The quoted 1832 and unquoted values are equivalent. 1834 For example, the following examples are all equivalent, but the first 1835 is preferred for consistency: 1837 text/html;charset=utf-8 1838 Text/HTML;Charset="utf-8" 1839 text/html; charset="utf-8" 1841 Furthermore, the example below is equivalent as well, as the 1842 "charset" parameter value is defined as case-insensitive ([RFC2046], 1843 Section 4.1.2): 1845 text/html;charset=UTF-8 1847 Media types ought to be registered with IANA according to the 1848 procedures defined in [BCP13]. 1850 Note: Unlike some similar constructs in other header fields, media 1851 type parameters do not allow whitespace (even "bad" whitespace) 1852 around the "=" character. 1854 6.1.1.1. Charset 1856 HTTP uses charset names to indicate or negotiate the character 1857 encoding scheme of a textual representation [RFC6365]. A charset is 1858 identified by a case-insensitive token. 1860 charset = token 1862 Charset names ought to be registered in the IANA "Character Sets" 1863 registry () 1864 according to the procedures defined in Section 2 of [RFC2978]. 1866 Note: in practice, charset names are furthermore restricted by the 1867 "mime-charset" ABNF rule defined in Section 2.3 of [RFC2978] (as 1868 corrected in [Err1912]). However, that rule allows two characters 1869 not included in "token" ("{" and "}"), but at the time of this 1870 writing no character set using these was registered (see 1871 [Err5433]). 1873 6.1.1.2. Canonicalization and Text Defaults 1875 Media types are registered with a canonical form in order to be 1876 interoperable among systems with varying native encoding formats. 1877 Representations selected or transferred via HTTP ought to be in 1878 canonical form, for many of the same reasons described by the 1879 Multipurpose Internet Mail Extensions (MIME) [RFC2045]. However, the 1880 performance characteristics of email deployments (i.e., store and 1881 forward messages to peers) are significantly different from those 1882 common to HTTP and the Web (server-based information services). 1883 Furthermore, MIME's constraints for the sake of compatibility with 1884 older mail transfer protocols do not apply to HTTP (see Appendix B of 1885 [Messaging]). 1887 MIME's canonical form requires that media subtypes of the "text" type 1888 use CRLF as the text line break. HTTP allows the transfer of text 1889 media with plain CR or LF alone representing a line break, when such 1890 line breaks are consistent for an entire representation. An HTTP 1891 sender MAY generate, and a recipient MUST be able to parse, line 1892 breaks in text media that consist of CRLF, bare CR, or bare LF. In 1893 addition, text media in HTTP is not limited to charsets that use 1894 octets 13 and 10 for CR and LF, respectively. This flexibility 1895 regarding line breaks applies only to text within a representation 1896 that has been assigned a "text" media type; it does not apply to 1897 "multipart" types or HTTP elements outside the payload body (e.g., 1898 header fields). 1900 If a representation is encoded with a content-coding, the underlying 1901 data ought to be in a form defined above prior to being encoded. 1903 6.1.1.3. Multipart Types 1905 MIME provides for a number of "multipart" types -- encapsulations of 1906 one or more representations within a single message body. All 1907 multipart types share a common syntax, as defined in Section 5.1.1 of 1908 [RFC2046], and include a boundary parameter as part of the media type 1909 value. The message body is itself a protocol element; a sender MUST 1910 generate only CRLF to represent line breaks between body parts. 1912 HTTP message framing does not use the multipart boundary as an 1913 indicator of message body length, though it might be used by 1914 implementations that generate or process the payload. For example, 1915 the "multipart/form-data" type is often used for carrying form data 1916 in a request, as described in [RFC7578], and the "multipart/ 1917 byteranges" type is defined by this specification for use in some 206 1918 (Partial Content) responses (see Section 9.3.7). 1920 6.1.2. Content Codings 1922 Content coding values indicate an encoding transformation that has 1923 been or can be applied to a representation. Content codings are 1924 primarily used to allow a representation to be compressed or 1925 otherwise usefully transformed without losing the identity of its 1926 underlying media type and without loss of information. Frequently, 1927 the representation is stored in coded form, transmitted directly, and 1928 only decoded by the final recipient. 1930 content-coding = token 1932 Content-coding values are used in the Accept-Encoding (Section 8.4.4) 1933 and Content-Encoding (Section 6.2.2) header fields. 1935 The following content-coding values are defined by this 1936 specification: 1938 +------------+------------------------------------------+-----------+ 1939 | Name | Description | Reference | 1940 +------------+------------------------------------------+-----------+ 1941 | compress | UNIX "compress" data format [Welch] | Section | 1942 | | | 6.1.2.1 | 1943 | deflate | "deflate" compressed data ([RFC1951]) | Section | 1944 | | inside the "zlib" data format | 6.1.2.2 | 1945 | | ([RFC1950]) | | 1946 | gzip | GZIP file format [RFC1952] | Section | 1947 | | | 6.1.2.3 | 1948 | identity | Reserved (synonym for "no encoding" in | Section | 1949 | | Accept-Encoding) | 8.4.4 | 1950 | x-compress | Deprecated (alias for compress) | Section | 1951 | | | 6.1.2.1 | 1952 | x-gzip | Deprecated (alias for gzip) | Section | 1953 | | | 6.1.2.3 | 1954 +------------+------------------------------------------+-----------+ 1956 6.1.2.1. Compress Coding 1958 The "compress" coding is an adaptive Lempel-Ziv-Welch (LZW) coding 1959 [Welch] that is commonly produced by the UNIX file compression 1960 program "compress". A recipient SHOULD consider "x-compress" to be 1961 equivalent to "compress". 1963 6.1.2.2. Deflate Coding 1965 The "deflate" coding is a "zlib" data format [RFC1950] containing a 1966 "deflate" compressed data stream [RFC1951] that uses a combination of 1967 the Lempel-Ziv (LZ77) compression algorithm and Huffman coding. 1969 Note: Some non-conformant implementations send the "deflate" 1970 compressed data without the zlib wrapper. 1972 6.1.2.3. Gzip Coding 1974 The "gzip" coding is an LZ77 coding with a 32-bit Cyclic Redundancy 1975 Check (CRC) that is commonly produced by the gzip file compression 1976 program [RFC1952]. A recipient SHOULD consider "x-gzip" to be 1977 equivalent to "gzip". 1979 6.1.2.4. Content Coding Extensibility 1981 Additional content codings, outside the scope of this specification, 1982 have been specified for use in HTTP. All such content codings ought 1983 to be registered within the "HTTP Content Coding Registry". 1985 6.1.2.4.1. Content Coding Registry 1987 The "HTTP Content Coding Registry", maintained by IANA at 1988 , registers 1989 content-coding names. 1991 Content coding registrations MUST include the following fields: 1993 o Name 1995 o Description 1997 o Pointer to specification text 1999 Names of content codings MUST NOT overlap with names of transfer 2000 codings (Section 7 of [Messaging]), unless the encoding 2001 transformation is identical (as is the case for the compression 2002 codings defined in Section 6.1.2). 2004 Values to be added to this namespace require IETF Review (see 2005 Section 4.8 of [RFC8126]) and MUST conform to the purpose of content 2006 coding defined in Section 6.1.2. 2008 6.1.3. Language Tags 2010 A language tag, as defined in [RFC5646], identifies a natural 2011 language spoken, written, or otherwise conveyed by human beings for 2012 communication of information to other human beings. Computer 2013 languages are explicitly excluded. 2015 HTTP uses language tags within the Accept-Language and Content- 2016 Language header fields. Accept-Language uses the broader language- 2017 range production defined in Section 8.4.5, whereas Content-Language 2018 uses the language-tag production defined below. 2020 language-tag = 2022 A language tag is a sequence of one or more case-insensitive subtags, 2023 each separated by a hyphen character ("-", %x2D). In most cases, a 2024 language tag consists of a primary language subtag that identifies a 2025 broad family of related languages (e.g., "en" = English), which is 2026 optionally followed by a series of subtags that refine or narrow that 2027 language's range (e.g., "en-CA" = the variety of English as 2028 communicated in Canada). Whitespace is not allowed within a language 2029 tag. Example tags include: 2031 fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN 2033 See [RFC5646] for further information. 2035 6.1.4. Range Units 2037 A representation can be partitioned into subranges according to 2038 various structural units, depending on the structure inherent in the 2039 representation's media type. This "range unit" is used in the 2040 Accept-Ranges (Section 10.4.1) response header field to advertise 2041 support for range requests, the Range (Section 8.3) request header 2042 field to delineate the parts of a representation that are requested, 2043 and the Content-Range (Section 6.3.3) payload header field to 2044 describe which part of a representation is being transferred. 2046 range-unit = bytes-unit / other-range-unit 2048 The following range unit names are defined by this document: 2050 +-------------+---------------------------------------+-------------+ 2051 | Range Unit | Description | Reference | 2052 | Name | | | 2053 +-------------+---------------------------------------+-------------+ 2054 | bytes | a range of octets | Section | 2055 | | | 6.1.4.1 | 2056 | none | reserved as keyword, indicating no | Section | 2057 | | ranges are supported | 10.4.1 | 2058 +-------------+---------------------------------------+-------------+ 2060 6.1.4.1. Byte Ranges 2062 Since representation data is transferred in payloads as a sequence of 2063 octets, a byte range is a meaningful substructure for any 2064 representation transferable over HTTP (Section 6). The "bytes" range 2065 unit is defined for expressing subranges of the data's octet 2066 sequence. 2068 bytes-unit = "bytes" 2070 A byte-range request can specify a single range of bytes or a set of 2071 ranges within a single representation. 2073 byte-ranges-specifier = bytes-unit "=" byte-range-set 2074 byte-range-set = 1#( byte-range-spec / suffix-byte-range-spec ) 2075 byte-range-spec = first-byte-pos "-" [ last-byte-pos ] 2076 first-byte-pos = 1*DIGIT 2077 last-byte-pos = 1*DIGIT 2079 The first-byte-pos value in a byte-range-spec gives the byte-offset 2080 of the first byte in a range. The last-byte-pos value gives the 2081 byte-offset of the last byte in the range; that is, the byte 2082 positions specified are inclusive. Byte offsets start at zero. 2084 Examples of byte-ranges-specifier values: 2086 o The first 500 bytes (byte offsets 0-499, inclusive): 2088 bytes=0-499 2090 o The second 500 bytes (byte offsets 500-999, inclusive): 2092 bytes=500-999 2094 A byte-range-spec is invalid if the last-byte-pos value is present 2095 and less than the first-byte-pos. 2097 A client can limit the number of bytes requested without knowing the 2098 size of the selected representation. If the last-byte-pos value is 2099 absent, or if the value is greater than or equal to the current 2100 length of the representation data, the byte range is interpreted as 2101 the remainder of the representation (i.e., the server replaces the 2102 value of last-byte-pos with a value that is one less than the current 2103 length of the selected representation). 2105 A client can request the last N bytes of the selected representation 2106 using a suffix-byte-range-spec. 2108 suffix-byte-range-spec = "-" suffix-length 2109 suffix-length = 1*DIGIT 2111 If the selected representation is shorter than the specified suffix- 2112 length, the entire representation is used. 2114 Additional examples, assuming a representation of length 10000: 2116 o The final 500 bytes (byte offsets 9500-9999, inclusive): 2118 bytes=-500 2120 Or: 2122 bytes=9500- 2124 o The first and last bytes only (bytes 0 and 9999): 2126 bytes=0-0,-1 2128 o Other valid (but not canonical) specifications of the second 500 2129 bytes (byte offsets 500-999, inclusive): 2131 bytes=500-600,601-999 2132 bytes=500-700,601-999 2134 If a valid byte-range-set includes at least one byte-range-spec with 2135 a first-byte-pos that is less than the current length of the 2136 representation, or at least one suffix-byte-range-spec with a non- 2137 zero suffix-length, then the byte-range-set is satisfiable. 2138 Otherwise, the byte-range-set is unsatisfiable. 2140 In the byte-range syntax, first-byte-pos, last-byte-pos, and suffix- 2141 length are expressed as decimal number of octets. Since there is no 2142 predefined limit to the length of a payload, recipients MUST 2143 anticipate potentially large decimal numerals and prevent parsing 2144 errors due to integer conversion overflows. 2146 6.1.4.2. Other Range Units 2148 Range units are intended to be extensible. New range units ought to 2149 be registered with IANA, as defined in Section 6.1.4.3. 2151 other-range-unit = token 2153 6.1.4.3. Range Unit Registry 2155 The "HTTP Range Unit Registry" defines the namespace for the range 2156 unit names and refers to their corresponding specifications. It is 2157 maintained at . 2159 Registration of an HTTP Range Unit MUST include the following fields: 2161 o Name 2163 o Description 2165 o Pointer to specification text 2166 Values to be added to this namespace require IETF Review (see 2167 [RFC8126], Section 4.8). 2169 6.2. Representation Metadata 2171 Representation header fields provide metadata about the 2172 representation. When a message includes a payload body, the 2173 representation header fields describe how to interpret the 2174 representation data enclosed in the payload body. In a response to a 2175 HEAD request, the representation header fields describe the 2176 representation data that would have been enclosed in the payload body 2177 if the same request had been a GET. 2179 The following header fields convey representation metadata: 2181 +-------------------+---------------+ 2182 | Header Field Name | Defined in... | 2183 +-------------------+---------------+ 2184 | Content-Type | Section 6.2.1 | 2185 | Content-Encoding | Section 6.2.2 | 2186 | Content-Language | Section 6.2.3 | 2187 | Content-Length | Section 6.2.4 | 2188 | Content-Location | Section 6.2.5 | 2189 +-------------------+---------------+ 2191 6.2.1. Content-Type 2193 The "Content-Type" header field indicates the media type of the 2194 associated representation: either the representation enclosed in the 2195 message payload or the selected representation, as determined by the 2196 message semantics. The indicated media type defines both the data 2197 format and how that data is intended to be processed by a recipient, 2198 within the scope of the received message semantics, after any content 2199 codings indicated by Content-Encoding are decoded. 2201 Content-Type = media-type 2203 Media types are defined in Section 6.1.1. An example of the field is 2205 Content-Type: text/html; charset=ISO-8859-4 2207 A sender that generates a message containing a payload body SHOULD 2208 generate a Content-Type header field in that message unless the 2209 intended media type of the enclosed representation is unknown to the 2210 sender. If a Content-Type header field is not present, the recipient 2211 MAY either assume a media type of "application/octet-stream" 2212 ([RFC2046], Section 4.5.1) or examine the data to determine its type. 2214 In practice, resource owners do not always properly configure their 2215 origin server to provide the correct Content-Type for a given 2216 representation, with the result that some clients will examine a 2217 payload's content and override the specified type. Clients that do 2218 so risk drawing incorrect conclusions, which might expose additional 2219 security risks (e.g., "privilege escalation"). Furthermore, it is 2220 impossible to determine the sender's intent by examining the data 2221 format: many data formats match multiple media types that differ only 2222 in processing semantics. Implementers are encouraged to provide a 2223 means of disabling such "content sniffing" when it is used. 2225 6.2.2. Content-Encoding 2227 The "Content-Encoding" header field indicates what content codings 2228 have been applied to the representation, beyond those inherent in the 2229 media type, and thus what decoding mechanisms have to be applied in 2230 order to obtain data in the media type referenced by the Content-Type 2231 header field. Content-Encoding is primarily used to allow a 2232 representation's data to be compressed without losing the identity of 2233 its underlying media type. 2235 Content-Encoding = 1#content-coding 2237 An example of its use is 2239 Content-Encoding: gzip 2241 If one or more encodings have been applied to a representation, the 2242 sender that applied the encodings MUST generate a Content-Encoding 2243 header field that lists the content codings in the order in which 2244 they were applied. Additional information about the encoding 2245 parameters can be provided by other header fields not defined by this 2246 specification. 2248 Unlike Transfer-Encoding (Section 6.1 of [Messaging]), the codings 2249 listed in Content-Encoding are a characteristic of the 2250 representation; the representation is defined in terms of the coded 2251 form, and all other metadata about the representation is about the 2252 coded form unless otherwise noted in the metadata definition. 2253 Typically, the representation is only decoded just prior to rendering 2254 or analogous usage. 2256 If the media type includes an inherent encoding, such as a data 2257 format that is always compressed, then that encoding would not be 2258 restated in Content-Encoding even if it happens to be the same 2259 algorithm as one of the content codings. Such a content coding would 2260 only be listed if, for some bizarre reason, it is applied a second 2261 time to form the representation. Likewise, an origin server might 2262 choose to publish the same data as multiple representations that 2263 differ only in whether the coding is defined as part of Content-Type 2264 or Content-Encoding, since some user agents will behave differently 2265 in their handling of each response (e.g., open a "Save as ..." dialog 2266 instead of automatic decompression and rendering of content). 2268 An origin server MAY respond with a status code of 415 (Unsupported 2269 Media Type) if a representation in the request message has a content 2270 coding that is not acceptable. 2272 6.2.3. Content-Language 2274 The "Content-Language" header field describes the natural language(s) 2275 of the intended audience for the representation. Note that this 2276 might not be equivalent to all the languages used within the 2277 representation. 2279 Content-Language = 1#language-tag 2281 Language tags are defined in Section 6.1.3. The primary purpose of 2282 Content-Language is to allow a user to identify and differentiate 2283 representations according to the users' own preferred language. 2284 Thus, if the content is intended only for a Danish-literate audience, 2285 the appropriate field is 2287 Content-Language: da 2289 If no Content-Language is specified, the default is that the content 2290 is intended for all language audiences. This might mean that the 2291 sender does not consider it to be specific to any natural language, 2292 or that the sender does not know for which language it is intended. 2294 Multiple languages MAY be listed for content that is intended for 2295 multiple audiences. For example, a rendition of the "Treaty of 2296 Waitangi", presented simultaneously in the original Maori and English 2297 versions, would call for 2299 Content-Language: mi, en 2301 However, just because multiple languages are present within a 2302 representation does not mean that it is intended for multiple 2303 linguistic audiences. An example would be a beginner's language 2304 primer, such as "A First Lesson in Latin", which is clearly intended 2305 to be used by an English-literate audience. In this case, the 2306 Content-Language would properly only include "en". 2308 Content-Language MAY be applied to any media type -- it is not 2309 limited to textual documents. 2311 6.2.4. Content-Length 2313 [[CREF4: The "Content-Length" header field indicates the number of 2314 data octets (body length) for the representation. In some cases, 2315 Content-Length is used to define or estimate message framing. ]] 2317 Content-Length = 1*DIGIT 2319 An example is 2321 Content-Length: 3495 2323 A sender MUST NOT send a Content-Length header field in any message 2324 that contains a Transfer-Encoding header field. 2326 A user agent SHOULD send a Content-Length in a request message when 2327 no Transfer-Encoding is sent and the request method defines a meaning 2328 for an enclosed payload body. For example, a Content-Length header 2329 field is normally sent in a POST request even when the value is 0 2330 (indicating an empty payload body). A user agent SHOULD NOT send a 2331 Content-Length header field when the request message does not contain 2332 a payload body and the method semantics do not anticipate such a 2333 body. 2335 A server MAY send a Content-Length header field in a response to a 2336 HEAD request (Section 7.3.2); a server MUST NOT send Content-Length 2337 in such a response unless its field-value equals the decimal number 2338 of octets that would have been sent in the payload body of a response 2339 if the same request had used the GET method. 2341 A server MAY send a Content-Length header field in a 304 (Not 2342 Modified) response to a conditional GET request (Section 9.4.5); a 2343 server MUST NOT send Content-Length in such a response unless its 2344 field-value equals the decimal number of octets that would have been 2345 sent in the payload body of a 200 (OK) response to the same request. 2347 A server MUST NOT send a Content-Length header field in any response 2348 with a status code of 1xx (Informational) or 204 (No Content). A 2349 server MUST NOT send a Content-Length header field in any 2xx 2350 (Successful) response to a CONNECT request (Section 7.3.6). 2352 Aside from the cases defined above, in the absence of Transfer- 2353 Encoding, an origin server SHOULD send a Content-Length header field 2354 when the payload body size is known prior to sending the complete 2355 header section. This will allow downstream recipients to measure 2356 transfer progress, know when a received message is complete, and 2357 potentially reuse the connection for additional requests. 2359 Any Content-Length field value greater than or equal to zero is 2360 valid. Since there is no predefined limit to the length of a 2361 payload, a recipient MUST anticipate potentially large decimal 2362 numerals and prevent parsing errors due to integer conversion 2363 overflows (Section 12.5). 2365 If a message is received that has multiple Content-Length header 2366 fields with field-values consisting of the same decimal value, or a 2367 single Content-Length header field with a field value containing a 2368 list of identical decimal values (e.g., "Content-Length: 42, 42"), 2369 indicating that duplicate Content-Length header fields have been 2370 generated or combined by an upstream message processor, then the 2371 recipient MUST either reject the message as invalid or replace the 2372 duplicated field-values with a single valid Content-Length field 2373 containing that decimal value prior to determining the message body 2374 length or forwarding the message. 2376 6.2.5. Content-Location 2378 The "Content-Location" header field references a URI that can be used 2379 as an identifier for a specific resource corresponding to the 2380 representation in this message's payload. In other words, if one 2381 were to perform a GET request on this URI at the time of this 2382 message's generation, then a 200 (OK) response would contain the same 2383 representation that is enclosed as payload in this message. 2385 Content-Location = absolute-URI / partial-URI 2387 The Content-Location value is not a replacement for the effective 2388 Request URI (Section 5.3). It is representation metadata. It has 2389 the same syntax and semantics as the header field of the same name 2390 defined for MIME body parts in Section 4 of [RFC2557]. However, its 2391 appearance in an HTTP message has some special implications for HTTP 2392 recipients. 2394 If Content-Location is included in a 2xx (Successful) response 2395 message and its value refers (after conversion to absolute form) to a 2396 URI that is the same as the effective request URI, then the recipient 2397 MAY consider the payload to be a current representation of that 2398 resource at the time indicated by the message origination date. For 2399 a GET (Section 7.3.1) or HEAD (Section 7.3.2) request, this is the 2400 same as the default semantics when no Content-Location is provided by 2401 the server. For a state-changing request like PUT (Section 7.3.4) or 2402 POST (Section 7.3.3), it implies that the server's response contains 2403 the new representation of that resource, thereby distinguishing it 2404 from representations that might only report about the action (e.g., 2405 "It worked!"). This allows authoring applications to update their 2406 local copies without the need for a subsequent GET request. 2408 If Content-Location is included in a 2xx (Successful) response 2409 message and its field-value refers to a URI that differs from the 2410 effective request URI, then the origin server claims that the URI is 2411 an identifier for a different resource corresponding to the enclosed 2412 representation. Such a claim can only be trusted if both identifiers 2413 share the same resource owner, which cannot be programmatically 2414 determined via HTTP. 2416 o For a response to a GET or HEAD request, this is an indication 2417 that the effective request URI refers to a resource that is 2418 subject to content negotiation and the Content-Location field- 2419 value is a more specific identifier for the selected 2420 representation. 2422 o For a 201 (Created) response to a state-changing method, a 2423 Content-Location field-value that is identical to the Location 2424 field-value indicates that this payload is a current 2425 representation of the newly created resource. 2427 o Otherwise, such a Content-Location indicates that this payload is 2428 a representation reporting on the requested action's status and 2429 that the same report is available (for future access with GET) at 2430 the given URI. For example, a purchase transaction made via a 2431 POST request might include a receipt document as the payload of 2432 the 200 (OK) response; the Content-Location field-value provides 2433 an identifier for retrieving a copy of that same receipt in the 2434 future. 2436 A user agent that sends Content-Location in a request message is 2437 stating that its value refers to where the user agent originally 2438 obtained the content of the enclosed representation (prior to any 2439 modifications made by that user agent). In other words, the user 2440 agent is providing a back link to the source of the original 2441 representation. 2443 An origin server that receives a Content-Location field in a request 2444 message MUST treat the information as transitory request context 2445 rather than as metadata to be saved verbatim as part of the 2446 representation. An origin server MAY use that context to guide in 2447 processing the request or to save it for other uses, such as within 2448 source links or versioning metadata. However, an origin server MUST 2449 NOT use such context information to alter the request semantics. 2451 For example, if a client makes a PUT request on a negotiated resource 2452 and the origin server accepts that PUT (without redirection), then 2453 the new state of that resource is expected to be consistent with the 2454 one representation supplied in that PUT; the Content-Location cannot 2455 be used as a form of reverse content selection identifier to update 2456 only one of the negotiated representations. If the user agent had 2457 wanted the latter semantics, it would have applied the PUT directly 2458 to the Content-Location URI. 2460 6.3. Payload 2462 Some HTTP messages transfer a complete or partial representation as 2463 the message "payload". In some cases, a payload might contain only 2464 the associated representation's header fields (e.g., responses to 2465 HEAD) or only some part(s) of the representation data (e.g., the 206 2466 (Partial Content) status code). 2468 Header fields that specifically describe the payload, rather than the 2469 associated representation, are referred to as "payload header 2470 fields". Payload header fields are defined in other parts of this 2471 specification, due to their impact on message parsing. 2473 +-------------------+----------------------------+ 2474 | Header Field Name | Defined in... | 2475 +-------------------+----------------------------+ 2476 | Content-Range | Section 6.3.3 | 2477 | Trailer | Section 4.4 | 2478 | Transfer-Encoding | Section 6.1 of [Messaging] | 2479 +-------------------+----------------------------+ 2481 6.3.1. Purpose 2483 The purpose of a payload in a request is defined by the method 2484 semantics. For example, a representation in the payload of a PUT 2485 request (Section 7.3.4) represents the desired state of the target 2486 resource if the request is successfully applied, whereas a 2487 representation in the payload of a POST request (Section 7.3.3) 2488 represents information to be processed by the target resource. 2490 In a response, the payload's purpose is defined by both the request 2491 method and the response status code. For example, the payload of a 2492 200 (OK) response to GET (Section 7.3.1) represents the current state 2493 of the target resource, as observed at the time of the message 2494 origination date (Section 10.1.1.2), whereas the payload of the same 2495 status code in a response to POST might represent either the 2496 processing result or the new state of the target resource after 2497 applying the processing. Response messages with an error status code 2498 usually contain a payload that represents the error condition, such 2499 that it describes the error state and what next steps are suggested 2500 for resolving it. 2502 6.3.2. Identification 2504 When a complete or partial representation is transferred in a message 2505 payload, it is often desirable for the sender to supply, or the 2506 recipient to determine, an identifier for a resource corresponding to 2507 that representation. 2509 For a request message: 2511 o If the request has a Content-Location header field, then the 2512 sender asserts that the payload is a representation of the 2513 resource identified by the Content-Location field-value. However, 2514 such an assertion cannot be trusted unless it can be verified by 2515 other means (not defined by this specification). The information 2516 might still be useful for revision history links. 2518 o Otherwise, the payload is unidentified. 2520 For a response message, the following rules are applied in order 2521 until a match is found: 2523 1. If the request method is GET or HEAD and the response status code 2524 is 200 (OK), 204 (No Content), 206 (Partial Content), or 304 (Not 2525 Modified), the payload is a representation of the resource 2526 identified by the effective request URI (Section 5.3). 2528 2. If the request method is GET or HEAD and the response status code 2529 is 203 (Non-Authoritative Information), the payload is a 2530 potentially modified or enhanced representation of the target 2531 resource as provided by an intermediary. 2533 3. If the response has a Content-Location header field and its 2534 field-value is a reference to the same URI as the effective 2535 request URI, the payload is a representation of the resource 2536 identified by the effective request URI. 2538 4. If the response has a Content-Location header field and its 2539 field-value is a reference to a URI different from the effective 2540 request URI, then the sender asserts that the payload is a 2541 representation of the resource identified by the Content-Location 2542 field-value. However, such an assertion cannot be trusted unless 2543 it can be verified by other means (not defined by this 2544 specification). 2546 5. Otherwise, the payload is unidentified. 2548 6.3.3. Content-Range 2550 The "Content-Range" header field is sent in a single part 206 2551 (Partial Content) response to indicate the partial range of the 2552 selected representation enclosed as the message payload, sent in each 2553 part of a multipart 206 response to indicate the range enclosed 2554 within each body part, and sent in 416 (Range Not Satisfiable) 2555 responses to provide information about the selected representation. 2557 Content-Range = byte-content-range 2558 / other-content-range 2560 byte-content-range = bytes-unit SP 2561 ( byte-range-resp / unsatisfied-range ) 2563 byte-range-resp = byte-range "/" ( complete-length / "*" ) 2564 byte-range = first-byte-pos "-" last-byte-pos 2565 unsatisfied-range = "*/" complete-length 2567 complete-length = 1*DIGIT 2569 other-content-range = other-range-unit SP other-range-resp 2570 other-range-resp = *VCHAR 2572 If a 206 (Partial Content) response contains a Content-Range header 2573 field with a range unit (Section 6.1.4) that the recipient does not 2574 understand, the recipient MUST NOT attempt to recombine it with a 2575 stored representation. A proxy that receives such a message SHOULD 2576 forward it downstream. 2578 For byte ranges, a sender SHOULD indicate the complete length of the 2579 representation from which the range has been extracted, unless the 2580 complete length is unknown or difficult to determine. An asterisk 2581 character ("*") in place of the complete-length indicates that the 2582 representation length was unknown when the header field was 2583 generated. 2585 The following example illustrates when the complete length of the 2586 selected representation is known by the sender to be 1234 bytes: 2588 Content-Range: bytes 42-1233/1234 2590 and this second example illustrates when the complete length is 2591 unknown: 2593 Content-Range: bytes 42-1233/* 2595 A Content-Range field value is invalid if it contains a byte-range- 2596 resp that has a last-byte-pos value less than its first-byte-pos 2597 value, or a complete-length value less than or equal to its last- 2598 byte-pos value. The recipient of an invalid Content-Range MUST NOT 2599 attempt to recombine the received content with a stored 2600 representation. 2602 A server generating a 416 (Range Not Satisfiable) response to a byte- 2603 range request SHOULD send a Content-Range header field with an 2604 unsatisfied-range value, as in the following example: 2606 Content-Range: bytes */1234 2608 The complete-length in a 416 response indicates the current length of 2609 the selected representation. 2611 The Content-Range header field has no meaning for status codes that 2612 do not explicitly describe its semantic. For this specification, 2613 only the 206 (Partial Content) and 416 (Range Not Satisfiable) status 2614 codes describe a meaning for Content-Range. 2616 The following are examples of Content-Range values in which the 2617 selected representation contains a total of 1234 bytes: 2619 o The first 500 bytes: 2621 Content-Range: bytes 0-499/1234 2623 o The second 500 bytes: 2625 Content-Range: bytes 500-999/1234 2627 o All except for the first 500 bytes: 2629 Content-Range: bytes 500-1233/1234 2631 o The last 500 bytes: 2633 Content-Range: bytes 734-1233/1234 2635 6.3.4. Media Type multipart/byteranges 2637 When a 206 (Partial Content) response message includes the content of 2638 multiple ranges, they are transmitted as body parts in a multipart 2639 message body ([RFC2046], Section 5.1) with the media type of 2640 "multipart/byteranges". 2642 The multipart/byteranges media type includes one or more body parts, 2643 each with its own Content-Type and Content-Range fields. The 2644 required boundary parameter specifies the boundary string used to 2645 separate each body part. 2647 Implementation Notes: 2649 1. Additional CRLFs might precede the first boundary string in the 2650 body. 2652 2. Although [RFC2046] permits the boundary string to be quoted, some 2653 existing implementations handle a quoted boundary string 2654 incorrectly. 2656 3. A number of clients and servers were coded to an early draft of 2657 the byteranges specification that used a media type of multipart/ 2658 x-byteranges, which is almost (but not quite) compatible with 2659 this type. 2661 Despite the name, the "multipart/byteranges" media type is not 2662 limited to byte ranges. The following example uses an "exampleunit" 2663 range unit: 2665 HTTP/1.1 206 Partial Content 2666 Date: Tue, 14 Nov 1995 06:25:24 GMT 2667 Last-Modified: Tue, 14 July 04:58:08 GMT 2668 Content-Length: 2331785 2669 Content-Type: multipart/byteranges; boundary=THIS_STRING_SEPARATES 2671 --THIS_STRING_SEPARATES 2672 Content-Type: video/example 2673 Content-Range: exampleunit 1.2-4.3/25 2675 ...the first range... 2676 --THIS_STRING_SEPARATES 2677 Content-Type: video/example 2678 Content-Range: exampleunit 11.2-14.3/25 2680 ...the second range 2681 --THIS_STRING_SEPARATES-- 2683 The following information serves as the registration form for the 2684 multipart/byteranges media type. 2686 Type name: multipart 2688 Subtype name: byteranges 2690 Required parameters: boundary 2692 Optional parameters: N/A 2694 Encoding considerations: only "7bit", "8bit", or "binary" are 2695 permitted 2697 Security considerations: see Section 12 2699 Interoperability considerations: N/A 2701 Published specification: This specification (see Section 6.3.4). 2703 Applications that use this media type: HTTP components supporting 2704 multiple ranges in a single request. 2706 Fragment identifier considerations: N/A 2708 Additional information: 2710 Deprecated alias names for this type: N/A 2712 Magic number(s): N/A 2714 File extension(s): N/A 2716 Macintosh file type code(s): N/A 2718 Person and email address to contact for further information: See Aut 2719 hors' Addresses section. 2721 Intended usage: COMMON 2723 Restrictions on usage: N/A 2725 Author: See Authors' Addresses section. 2727 Change controller: IESG 2729 6.4. Content Negotiation 2731 When responses convey payload information, whether indicating a 2732 success or an error, the origin server often has different ways of 2733 representing that information; for example, in different formats, 2734 languages, or encodings. Likewise, different users or user agents 2735 might have differing capabilities, characteristics, or preferences 2736 that could influence which representation, among those available, 2737 would be best to deliver. For this reason, HTTP provides mechanisms 2738 for content negotiation. 2740 This specification defines two patterns of content negotiation that 2741 can be made visible within the protocol: "proactive", where the 2742 server selects the representation based upon the user agent's stated 2743 preferences, and "reactive" negotiation, where the server provides a 2744 list of representations for the user agent to choose from. Other 2745 patterns of content negotiation include "conditional content", where 2746 the representation consists of multiple parts that are selectively 2747 rendered based on user agent parameters, "active content", where the 2748 representation contains a script that makes additional (more 2749 specific) requests based on the user agent characteristics, and 2750 "Transparent Content Negotiation" ([RFC2295]), where content 2751 selection is performed by an intermediary. These patterns are not 2752 mutually exclusive, and each has trade-offs in applicability and 2753 practicality. 2755 Note that, in all cases, HTTP is not aware of the resource semantics. 2756 The consistency with which an origin server responds to requests, 2757 over time and over the varying dimensions of content negotiation, and 2758 thus the "sameness" of a resource's observed representations over 2759 time, is determined entirely by whatever entity or algorithm selects 2760 or generates those responses. HTTP pays no attention to the man 2761 behind the curtain. 2763 6.4.1. Proactive Negotiation 2765 When content negotiation preferences are sent by the user agent in a 2766 request to encourage an algorithm located at the server to select the 2767 preferred representation, it is called proactive negotiation (a.k.a., 2768 server-driven negotiation). Selection is based on the available 2769 representations for a response (the dimensions over which it might 2770 vary, such as language, content-coding, etc.) compared to various 2771 information supplied in the request, including both the explicit 2772 negotiation fields of Section 8.4 and implicit characteristics, such 2773 as the client's network address or parts of the User-Agent field. 2775 Proactive negotiation is advantageous when the algorithm for 2776 selecting from among the available representations is difficult to 2777 describe to a user agent, or when the server desires to send its 2778 "best guess" to the user agent along with the first response (hoping 2779 to avoid the round trip delay of a subsequent request if the "best 2780 guess" is good enough for the user). In order to improve the 2781 server's guess, a user agent MAY send request header fields that 2782 describe its preferences. 2784 Proactive negotiation has serious disadvantages: 2786 o It is impossible for the server to accurately determine what might 2787 be "best" for any given user, since that would require complete 2788 knowledge of both the capabilities of the user agent and the 2789 intended use for the response (e.g., does the user want to view it 2790 on screen or print it on paper?); 2792 o Having the user agent describe its capabilities in every request 2793 can be both very inefficient (given that only a small percentage 2794 of responses have multiple representations) and a potential risk 2795 to the user's privacy; 2797 o It complicates the implementation of an origin server and the 2798 algorithms for generating responses to a request; and, 2800 o It limits the reusability of responses for shared caching. 2802 A user agent cannot rely on proactive negotiation preferences being 2803 consistently honored, since the origin server might not implement 2804 proactive negotiation for the requested resource or might decide that 2805 sending a response that doesn't conform to the user agent's 2806 preferences is better than sending a 406 (Not Acceptable) response. 2808 A Vary header field (Section 10.1.4) is often sent in a response 2809 subject to proactive negotiation to indicate what parts of the 2810 request information were used in the selection algorithm. 2812 6.4.2. Reactive Negotiation 2814 With reactive negotiation (a.k.a., agent-driven negotiation), 2815 selection of the best response representation (regardless of the 2816 status code) is performed by the user agent after receiving an 2817 initial response from the origin server that contains a list of 2818 resources for alternative representations. If the user agent is not 2819 satisfied by the initial response representation, it can perform a 2820 GET request on one or more of the alternative resources, selected 2821 based on metadata included in the list, to obtain a different form of 2822 representation for that response. Selection of alternatives might be 2823 performed automatically by the user agent or manually by the user 2824 selecting from a generated (possibly hypertext) menu. 2826 Note that the above refers to representations of the response, in 2827 general, not representations of the resource. The alternative 2828 representations are only considered representations of the target 2829 resource if the response in which those alternatives are provided has 2830 the semantics of being a representation of the target resource (e.g., 2831 a 200 (OK) response to a GET request) or has the semantics of 2832 providing links to alternative representations for the target 2833 resource (e.g., a 300 (Multiple Choices) response to a GET request). 2835 A server might choose not to send an initial representation, other 2836 than the list of alternatives, and thereby indicate that reactive 2837 negotiation by the user agent is preferred. For example, the 2838 alternatives listed in responses with the 300 (Multiple Choices) and 2839 406 (Not Acceptable) status codes include information about the 2840 available representations so that the user or user agent can react by 2841 making a selection. 2843 Reactive negotiation is advantageous when the response would vary 2844 over commonly used dimensions (such as type, language, or encoding), 2845 when the origin server is unable to determine a user agent's 2846 capabilities from examining the request, and generally when public 2847 caches are used to distribute server load and reduce network usage. 2849 Reactive negotiation suffers from the disadvantages of transmitting a 2850 list of alternatives to the user agent, which degrades user-perceived 2851 latency if transmitted in the header section, and needing a second 2852 request to obtain an alternate representation. Furthermore, this 2853 specification does not define a mechanism for supporting automatic 2854 selection, though it does not prevent such a mechanism from being 2855 developed as an extension. 2857 7. Request Methods 2859 7.1. Overview 2861 The request method token is the primary source of request semantics; 2862 it indicates the purpose for which the client has made this request 2863 and what is expected by the client as a successful result. 2865 The request method's semantics might be further specialized by the 2866 semantics of some header fields when present in a request (Section 8) 2867 if those additional semantics do not conflict with the method. For 2868 example, a client can send conditional request header fields 2869 (Section 8.2) to make the requested action conditional on the current 2870 state of the target resource. 2872 method = token 2874 HTTP was originally designed to be usable as an interface to 2875 distributed object systems. The request method was envisioned as 2876 applying semantics to a target resource in much the same way as 2877 invoking a defined method on an identified object would apply 2878 semantics. 2880 The method token is case-sensitive because it might be used as a 2881 gateway to object-based systems with case-sensitive method names. By 2882 convention, standardized methods are defined in all-uppercase US- 2883 ASCII letters. 2885 Unlike distributed objects, the standardized request methods in HTTP 2886 are not resource-specific, since uniform interfaces provide for 2887 better visibility and reuse in network-based systems [REST]. Once 2888 defined, a standardized method ought to have the same semantics when 2889 applied to any resource, though each resource determines for itself 2890 whether those semantics are implemented or allowed. 2892 This specification defines a number of standardized methods that are 2893 commonly used in HTTP, as outlined by the following table. 2895 +---------+-------------------------------------------------+-------+ 2896 | Method | Description | Sec. | 2897 +---------+-------------------------------------------------+-------+ 2898 | GET | Transfer a current representation of the target | 7.3.1 | 2899 | | resource. | | 2900 | HEAD | Same as GET, but only transfer the status line | 7.3.2 | 2901 | | and header section. | | 2902 | POST | Perform resource-specific processing on the | 7.3.3 | 2903 | | request payload. | | 2904 | PUT | Replace all current representations of the | 7.3.4 | 2905 | | target resource with the request payload. | | 2906 | DELETE | Remove all current representations of the | 7.3.5 | 2907 | | target resource. | | 2908 | CONNECT | Establish a tunnel to the server identified by | 7.3.6 | 2909 | | the target resource. | | 2910 | OPTIONS | Describe the communication options for the | 7.3.7 | 2911 | | target resource. | | 2912 | TRACE | Perform a message loop-back test along the path | 7.3.8 | 2913 | | to the target resource. | | 2914 +---------+-------------------------------------------------+-------+ 2916 All general-purpose servers MUST support the methods GET and HEAD. 2917 All other methods are OPTIONAL. 2919 The set of methods allowed by a target resource can be listed in an 2920 Allow header field (Section 10.4.2). However, the set of allowed 2921 methods can change dynamically. When a request method is received 2922 that is unrecognized or not implemented by an origin server, the 2923 origin server SHOULD respond with the 501 (Not Implemented) status 2924 code. When a request method is received that is known by an origin 2925 server but not allowed for the target resource, the origin server 2926 SHOULD respond with the 405 (Method Not Allowed) status code. 2928 7.2. Common Method Properties 2930 +---------+------+------------+----------------+ 2931 | Method | Safe | Idempotent | Reference | 2932 +---------+------+------------+----------------+ 2933 | CONNECT | no | no | Section 7.3.6 | 2934 | DELETE | no | yes | Section 7.3.5 | 2935 | GET | yes | yes | Section 7.3.1 | 2936 | HEAD | yes | yes | Section 7.3.2 | 2937 | OPTIONS | yes | yes | Section 7.3.7 | 2938 | POST | no | no | Section 7.3.3 | 2939 | PUT | no | yes | Section 7.3.4 | 2940 | TRACE | yes | yes | Section 7.3.8 | 2941 +---------+------+------------+----------------+ 2943 7.2.1. Safe Methods 2945 Request methods are considered "safe" if their defined semantics are 2946 essentially read-only; i.e., the client does not request, and does 2947 not expect, any state change on the origin server as a result of 2948 applying a safe method to a target resource. Likewise, reasonable 2949 use of a safe method is not expected to cause any harm, loss of 2950 property, or unusual burden on the origin server. 2952 This definition of safe methods does not prevent an implementation 2953 from including behavior that is potentially harmful, that is not 2954 entirely read-only, or that causes side effects while invoking a safe 2955 method. What is important, however, is that the client did not 2956 request that additional behavior and cannot be held accountable for 2957 it. For example, most servers append request information to access 2958 log files at the completion of every response, regardless of the 2959 method, and that is considered safe even though the log storage might 2960 become full and crash the server. Likewise, a safe request initiated 2961 by selecting an advertisement on the Web will often have the side 2962 effect of charging an advertising account. 2964 Of the request methods defined by this specification, the GET, HEAD, 2965 OPTIONS, and TRACE methods are defined to be safe. 2967 The purpose of distinguishing between safe and unsafe methods is to 2968 allow automated retrieval processes (spiders) and cache performance 2969 optimization (pre-fetching) to work without fear of causing harm. In 2970 addition, it allows a user agent to apply appropriate constraints on 2971 the automated use of unsafe methods when processing potentially 2972 untrusted content. 2974 A user agent SHOULD distinguish between safe and unsafe methods when 2975 presenting potential actions to a user, such that the user can be 2976 made aware of an unsafe action before it is requested. 2978 When a resource is constructed such that parameters within the 2979 effective request URI have the effect of selecting an action, it is 2980 the resource owner's responsibility to ensure that the action is 2981 consistent with the request method semantics. For example, it is 2982 common for Web-based content editing software to use actions within 2983 query parameters, such as "page?do=delete". If the purpose of such a 2984 resource is to perform an unsafe action, then the resource owner MUST 2985 disable or disallow that action when it is accessed using a safe 2986 request method. Failure to do so will result in unfortunate side 2987 effects when automated processes perform a GET on every URI reference 2988 for the sake of link maintenance, pre-fetching, building a search 2989 index, etc. 2991 7.2.2. Idempotent Methods 2993 A request method is considered "idempotent" if the intended effect on 2994 the server of multiple identical requests with that method is the 2995 same as the effect for a single such request. Of the request methods 2996 defined by this specification, PUT, DELETE, and safe request methods 2997 are idempotent. 2999 Like the definition of safe, the idempotent property only applies to 3000 what has been requested by the user; a server is free to log each 3001 request separately, retain a revision control history, or implement 3002 other non-idempotent side effects for each idempotent request. 3004 Idempotent methods are distinguished because the request can be 3005 repeated automatically if a communication failure occurs before the 3006 client is able to read the server's response. For example, if a 3007 client sends a PUT request and the underlying connection is closed 3008 before any response is received, then the client can establish a new 3009 connection and retry the idempotent request. It knows that repeating 3010 the request will have the same intended effect, even if the original 3011 request succeeded, though the response might differ. 3013 7.2.3. Cacheable Methods 3015 Request methods can be defined as "cacheable" to indicate that 3016 responses to them are allowed to be stored for future reuse; for 3017 specific requirements see [Caching]. In general, safe methods that 3018 do not depend on a current or authoritative response are defined as 3019 cacheable; this specification defines GET, HEAD, and POST as 3020 cacheable, although the overwhelming majority of cache 3021 implementations only support GET and HEAD. 3023 7.3. Method Definitions 3025 7.3.1. GET 3027 The GET method requests transfer of a current selected representation 3028 for the target resource. GET is the primary mechanism of information 3029 retrieval and the focus of almost all performance optimizations. 3030 Hence, when people speak of retrieving some identifiable information 3031 via HTTP, they are generally referring to making a GET request. 3033 It is tempting to think of resource identifiers as remote file system 3034 pathnames and of representations as being a copy of the contents of 3035 such files. In fact, that is how many resources are implemented (see 3036 Section 12.3 for related security considerations). However, there 3037 are no such limitations in practice. The HTTP interface for a 3038 resource is just as likely to be implemented as a tree of content 3039 objects, a programmatic view on various database records, or a 3040 gateway to other information systems. Even when the URI mapping 3041 mechanism is tied to a file system, an origin server might be 3042 configured to execute the files with the request as input and send 3043 the output as the representation rather than transfer the files 3044 directly. Regardless, only the origin server needs to know how each 3045 of its resource identifiers corresponds to an implementation and how 3046 each implementation manages to select and send a current 3047 representation of the target resource in a response to GET. 3049 A client can alter the semantics of GET to be a "range request", 3050 requesting transfer of only some part(s) of the selected 3051 representation, by sending a Range header field in the request 3052 (Section 8.3). 3054 A payload within a GET request message has no defined semantics; 3055 sending a payload body on a GET request might cause some existing 3056 implementations to reject the request. 3058 The response to a GET request is cacheable; a cache MAY use it to 3059 satisfy subsequent GET and HEAD requests unless otherwise indicated 3060 by the Cache-Control header field (Section 5.2 of [Caching]). 3062 7.3.2. HEAD 3064 The HEAD method is identical to GET except that the server MUST NOT 3065 send a message body in the response (i.e., the response terminates at 3066 the end of the header section). The server SHOULD send the same 3067 header fields in response to a HEAD request as it would have sent if 3068 the request had been a GET, except that the payload header fields 3069 (Section 6.3) MAY be omitted. This method can be used for obtaining 3070 metadata about the selected representation without transferring the 3071 representation data and is often used for testing hypertext links for 3072 validity, accessibility, and recent modification. 3074 A payload within a HEAD request message has no defined semantics; 3075 sending a payload body on a HEAD request might cause some existing 3076 implementations to reject the request. 3078 The response to a HEAD request is cacheable; a cache MAY use it to 3079 satisfy subsequent HEAD requests unless otherwise indicated by the 3080 Cache-Control header field (Section 5.2 of [Caching]). A HEAD 3081 response might also have an effect on previously cached responses to 3082 GET; see Section 4.3.5 of [Caching]. 3084 7.3.3. POST 3086 The POST method requests that the target resource process the 3087 representation enclosed in the request according to the resource's 3088 own specific semantics. For example, POST is used for the following 3089 functions (among others): 3091 o Providing a block of data, such as the fields entered into an HTML 3092 form, to a data-handling process; 3094 o Posting a message to a bulletin board, newsgroup, mailing list, 3095 blog, or similar group of articles; 3097 o Creating a new resource that has yet to be identified by the 3098 origin server; and 3100 o Appending data to a resource's existing representation(s). 3102 An origin server indicates response semantics by choosing an 3103 appropriate status code depending on the result of processing the 3104 POST request; almost all of the status codes defined by this 3105 specification might be received in a response to POST (the exceptions 3106 being 206 (Partial Content), 304 (Not Modified), and 416 (Range Not 3107 Satisfiable)). 3109 If one or more resources has been created on the origin server as a 3110 result of successfully processing a POST request, the origin server 3111 SHOULD send a 201 (Created) response containing a Location header 3112 field that provides an identifier for the primary resource created 3113 (Section 10.1.2) and a representation that describes the status of 3114 the request while referring to the new resource(s). 3116 Responses to POST requests are only cacheable when they include 3117 explicit freshness information (see Section 4.2.1 of [Caching]) and a 3118 Content-Location header field that has the same value as the POST's 3119 effective request URI (Section 6.2.5). A cached POST response can be 3120 reused to satisfy a later GET or HEAD request, but not a POST 3121 request, since POST is required to be written through to the origin 3122 server, because it is unsafe; see Section 4 of [Caching]. 3124 If the result of processing a POST would be equivalent to a 3125 representation of an existing resource, an origin server MAY redirect 3126 the user agent to that resource by sending a 303 (See Other) response 3127 with the existing resource's identifier in the Location field. This 3128 has the benefits of providing the user agent a resource identifier 3129 and transferring the representation via a method more amenable to 3130 shared caching, though at the cost of an extra request if the user 3131 agent does not already have the representation cached. 3133 7.3.4. PUT 3135 The PUT method requests that the state of the target resource be 3136 created or replaced with the state defined by the representation 3137 enclosed in the request message payload. A successful PUT of a given 3138 representation would suggest that a subsequent GET on that same 3139 target resource will result in an equivalent representation being 3140 sent in a 200 (OK) response. However, there is no guarantee that 3141 such a state change will be observable, since the target resource 3142 might be acted upon by other user agents in parallel, or might be 3143 subject to dynamic processing by the origin server, before any 3144 subsequent GET is received. A successful response only implies that 3145 the user agent's intent was achieved at the time of its processing by 3146 the origin server. 3148 If the target resource does not have a current representation and the 3149 PUT successfully creates one, then the origin server MUST inform the 3150 user agent by sending a 201 (Created) response. If the target 3151 resource does have a current representation and that representation 3152 is successfully modified in accordance with the state of the enclosed 3153 representation, then the origin server MUST send either a 200 (OK) or 3154 a 204 (No Content) response to indicate successful completion of the 3155 request. 3157 An origin server SHOULD ignore unrecognized header fields received in 3158 a PUT request (i.e., do not save them as part of the resource state). 3160 An origin server SHOULD verify that the PUT representation is 3161 consistent with any constraints the server has for the target 3162 resource that cannot or will not be changed by the PUT. This is 3163 particularly important when the origin server uses internal 3164 configuration information related to the URI in order to set the 3165 values for representation metadata on GET responses. When a PUT 3166 representation is inconsistent with the target resource, the origin 3167 server SHOULD either make them consistent, by transforming the 3168 representation or changing the resource configuration, or respond 3169 with an appropriate error message containing sufficient information 3170 to explain why the representation is unsuitable. The 409 (Conflict) 3171 or 415 (Unsupported Media Type) status codes are suggested, with the 3172 latter being specific to constraints on Content-Type values. 3174 For example, if the target resource is configured to always have a 3175 Content-Type of "text/html" and the representation being PUT has a 3176 Content-Type of "image/jpeg", the origin server ought to do one of: 3178 a. reconfigure the target resource to reflect the new media type; 3180 b. transform the PUT representation to a format consistent with that 3181 of the resource before saving it as the new resource state; or, 3183 c. reject the request with a 415 (Unsupported Media Type) response 3184 indicating that the target resource is limited to "text/html", 3185 perhaps including a link to a different resource that would be a 3186 suitable target for the new representation. 3188 HTTP does not define exactly how a PUT method affects the state of an 3189 origin server beyond what can be expressed by the intent of the user 3190 agent request and the semantics of the origin server response. It 3191 does not define what a resource might be, in any sense of that word, 3192 beyond the interface provided via HTTP. It does not define how 3193 resource state is "stored", nor how such storage might change as a 3194 result of a change in resource state, nor how the origin server 3195 translates resource state into representations. Generally speaking, 3196 all implementation details behind the resource interface are 3197 intentionally hidden by the server. 3199 An origin server MUST NOT send a validator header field 3200 (Section 10.2), such as an ETag or Last-Modified field, in a 3201 successful response to PUT unless the request's representation data 3202 was saved without any transformation applied to the body (i.e., the 3203 resource's new representation data is identical to the representation 3204 data received in the PUT request) and the validator field value 3205 reflects the new representation. This requirement allows a user 3206 agent to know when the representation body it has in memory remains 3207 current as a result of the PUT, thus not in need of being retrieved 3208 again from the origin server, and that the new validator(s) received 3209 in the response can be used for future conditional requests in order 3210 to prevent accidental overwrites (Section 8.2). 3212 The fundamental difference between the POST and PUT methods is 3213 highlighted by the different intent for the enclosed representation. 3214 The target resource in a POST request is intended to handle the 3215 enclosed representation according to the resource's own semantics, 3216 whereas the enclosed representation in a PUT request is defined as 3217 replacing the state of the target resource. Hence, the intent of PUT 3218 is idempotent and visible to intermediaries, even though the exact 3219 effect is only known by the origin server. 3221 Proper interpretation of a PUT request presumes that the user agent 3222 knows which target resource is desired. A service that selects a 3223 proper URI on behalf of the client, after receiving a state-changing 3224 request, SHOULD be implemented using the POST method rather than PUT. 3225 If the origin server will not make the requested PUT state change to 3226 the target resource and instead wishes to have it applied to a 3227 different resource, such as when the resource has been moved to a 3228 different URI, then the origin server MUST send an appropriate 3xx 3229 (Redirection) response; the user agent MAY then make its own decision 3230 regarding whether or not to redirect the request. 3232 A PUT request applied to the target resource can have side effects on 3233 other resources. For example, an article might have a URI for 3234 identifying "the current version" (a resource) that is separate from 3235 the URIs identifying each particular version (different resources 3236 that at one point shared the same state as the current version 3237 resource). A successful PUT request on "the current version" URI 3238 might therefore create a new version resource in addition to changing 3239 the state of the target resource, and might also cause links to be 3240 added between the related resources. 3242 An origin server that allows PUT on a given target resource MUST send 3243 a 400 (Bad Request) response to a PUT request that contains a 3244 Content-Range header field (Section 6.3.3), since the payload is 3245 likely to be partial content that has been mistakenly PUT as a full 3246 representation. Partial content updates are possible by targeting a 3247 separately identified resource with state that overlaps a portion of 3248 the larger resource, or by using a different method that has been 3249 specifically defined for partial updates (for example, the PATCH 3250 method defined in [RFC5789]). 3252 Responses to the PUT method are not cacheable. If a successful PUT 3253 request passes through a cache that has one or more stored responses 3254 for the effective request URI, those stored responses will be 3255 invalidated (see Section 4.4 of [Caching]). 3257 7.3.5. DELETE 3259 The DELETE method requests that the origin server remove the 3260 association between the target resource and its current 3261 functionality. In effect, this method is similar to the rm command 3262 in UNIX: it expresses a deletion operation on the URI mapping of the 3263 origin server rather than an expectation that the previously 3264 associated information be deleted. 3266 If the target resource has one or more current representations, they 3267 might or might not be destroyed by the origin server, and the 3268 associated storage might or might not be reclaimed, depending 3269 entirely on the nature of the resource and its implementation by the 3270 origin server (which are beyond the scope of this specification). 3271 Likewise, other implementation aspects of a resource might need to be 3272 deactivated or archived as a result of a DELETE, such as database or 3273 gateway connections. In general, it is assumed that the origin 3274 server will only allow DELETE on resources for which it has a 3275 prescribed mechanism for accomplishing the deletion. 3277 Relatively few resources allow the DELETE method -- its primary use 3278 is for remote authoring environments, where the user has some 3279 direction regarding its effect. For example, a resource that was 3280 previously created using a PUT request, or identified via the 3281 Location header field after a 201 (Created) response to a POST 3282 request, might allow a corresponding DELETE request to undo those 3283 actions. Similarly, custom user agent implementations that implement 3284 an authoring function, such as revision control clients using HTTP 3285 for remote operations, might use DELETE based on an assumption that 3286 the server's URI space has been crafted to correspond to a version 3287 repository. 3289 If a DELETE method is successfully applied, the origin server SHOULD 3290 send 3292 o a 202 (Accepted) status code if the action will likely succeed but 3293 has not yet been enacted, 3295 o a 204 (No Content) status code if the action has been enacted and 3296 no further information is to be supplied, or 3298 o a 200 (OK) status code if the action has been enacted and the 3299 response message includes a representation describing the status. 3301 A payload within a DELETE request message has no defined semantics; 3302 sending a payload body on a DELETE request might cause some existing 3303 implementations to reject the request. 3305 Responses to the DELETE method are not cacheable. If a successful 3306 DELETE request passes through a cache that has one or more stored 3307 responses for the effective request URI, those stored responses will 3308 be invalidated (see Section 4.4 of [Caching]). 3310 7.3.6. CONNECT 3312 The CONNECT method requests that the recipient establish a tunnel to 3313 the destination origin server identified by the request-target and, 3314 if successful, thereafter restrict its behavior to blind forwarding 3315 of packets, in both directions, until the tunnel is closed. Tunnels 3316 are commonly used to create an end-to-end virtual connection, through 3317 one or more proxies, which can then be secured using TLS (Transport 3318 Layer Security, [RFC5246]). 3320 CONNECT is intended only for use in requests to a proxy. An origin 3321 server that receives a CONNECT request for itself MAY respond with a 3322 2xx (Successful) status code to indicate that a connection is 3323 established. However, most origin servers do not implement CONNECT. 3325 A client sending a CONNECT request MUST send the authority form of 3326 request-target (Section 3.2 of [Messaging]); i.e., the request-target 3327 consists of only the host name and port number of the tunnel 3328 destination, separated by a colon. For example, 3330 CONNECT server.example.com:80 HTTP/1.1 3331 Host: server.example.com:80 3333 The recipient proxy can establish a tunnel either by directly 3334 connecting to the request-target or, if configured to use another 3335 proxy, by forwarding the CONNECT request to the next inbound proxy. 3336 Any 2xx (Successful) response indicates that the sender (and all 3337 inbound proxies) will switch to tunnel mode immediately after the 3338 blank line that concludes the successful response's header section; 3339 data received after that blank line is from the server identified by 3340 the request-target. Any response other than a successful response 3341 indicates that the tunnel has not yet been formed and that the 3342 connection remains governed by HTTP. 3344 A tunnel is closed when a tunnel intermediary detects that either 3345 side has closed its connection: the intermediary MUST attempt to send 3346 any outstanding data that came from the closed side to the other 3347 side, close both connections, and then discard any remaining data 3348 left undelivered. 3350 Proxy authentication might be used to establish the authority to 3351 create a tunnel. For example, 3353 CONNECT server.example.com:80 HTTP/1.1 3354 Host: server.example.com:80 3355 Proxy-Authorization: basic aGVsbG86d29ybGQ= 3357 There are significant risks in establishing a tunnel to arbitrary 3358 servers, particularly when the destination is a well-known or 3359 reserved TCP port that is not intended for Web traffic. For example, 3360 a CONNECT to a request-target of "example.com:25" would suggest that 3361 the proxy connect to the reserved port for SMTP traffic; if allowed, 3362 that could trick the proxy into relaying spam email. Proxies that 3363 support CONNECT SHOULD restrict its use to a limited set of known 3364 ports or a configurable whitelist of safe request targets. 3366 A server MUST NOT send any Transfer-Encoding or Content-Length header 3367 fields in a 2xx (Successful) response to CONNECT. A client MUST 3368 ignore any Content-Length or Transfer-Encoding header fields received 3369 in a successful response to CONNECT. 3371 A payload within a CONNECT request message has no defined semantics; 3372 sending a payload body on a CONNECT request might cause some existing 3373 implementations to reject the request. 3375 Responses to the CONNECT method are not cacheable. 3377 7.3.7. OPTIONS 3379 The OPTIONS method requests information about the communication 3380 options available for the target resource, at either the origin 3381 server or an intervening intermediary. This method allows a client 3382 to determine the options and/or requirements associated with a 3383 resource, or the capabilities of a server, without implying a 3384 resource action. 3386 An OPTIONS request with an asterisk ("*") as the request-target 3387 (Section 3.2 of [Messaging]) applies to the server in general rather 3388 than to a specific resource. Since a server's communication options 3389 typically depend on the resource, the "*" request is only useful as a 3390 "ping" or "no-op" type of method; it does nothing beyond allowing the 3391 client to test the capabilities of the server. For example, this can 3392 be used to test a proxy for HTTP/1.1 conformance (or lack thereof). 3394 If the request-target is not an asterisk, the OPTIONS request applies 3395 to the options that are available when communicating with the target 3396 resource. 3398 A server generating a successful response to OPTIONS SHOULD send any 3399 header fields that might indicate optional features implemented by 3400 the server and applicable to the target resource (e.g., Allow), 3401 including potential extensions not defined by this specification. 3402 The response payload, if any, might also describe the communication 3403 options in a machine or human-readable representation. A standard 3404 format for such a representation is not defined by this 3405 specification, but might be defined by future extensions to HTTP. A 3406 server MUST generate a Content-Length field with a value of "0" if no 3407 payload body is to be sent in the response. 3409 A client MAY send a Max-Forwards header field in an OPTIONS request 3410 to target a specific recipient in the request chain (see 3411 Section 8.1.2). A proxy MUST NOT generate a Max-Forwards header 3412 field while forwarding a request unless that request was received 3413 with a Max-Forwards field. 3415 A client that generates an OPTIONS request containing a payload body 3416 MUST send a valid Content-Type header field describing the 3417 representation media type. Although this specification does not 3418 define any use for such a payload, future extensions to HTTP might 3419 use the OPTIONS body to make more detailed queries about the target 3420 resource. 3422 Responses to the OPTIONS method are not cacheable. 3424 7.3.8. TRACE 3426 The TRACE method requests a remote, application-level loop-back of 3427 the request message. The final recipient of the request SHOULD 3428 reflect the message received, excluding some fields described below, 3429 back to the client as the message body of a 200 (OK) response with a 3430 Content-Type of "message/http" (Section 10.1 of [Messaging]). The 3431 final recipient is either the origin server or the first server to 3432 receive a Max-Forwards value of zero (0) in the request 3433 (Section 8.1.2). 3435 A client MUST NOT generate header fields in a TRACE request 3436 containing sensitive data that might be disclosed by the response. 3437 For example, it would be foolish for a user agent to send stored user 3438 credentials Section 8.5 or cookies [RFC6265] in a TRACE request. The 3439 final recipient of the request SHOULD exclude any request header 3440 fields that are likely to contain sensitive data when that recipient 3441 generates the response body. 3443 TRACE allows the client to see what is being received at the other 3444 end of the request chain and use that data for testing or diagnostic 3445 information. The value of the Via header field (Section 5.5.1) is of 3446 particular interest, since it acts as a trace of the request chain. 3447 Use of the Max-Forwards header field allows the client to limit the 3448 length of the request chain, which is useful for testing a chain of 3449 proxies forwarding messages in an infinite loop. 3451 A client MUST NOT send a message body in a TRACE request. 3453 Responses to the TRACE method are not cacheable. 3455 7.4. Method Extensibility 3457 Additional methods, outside the scope of this specification, have 3458 been specified for use in HTTP. All such methods ought to be 3459 registered within the "Hypertext Transfer Protocol (HTTP) Method 3460 Registry". 3462 7.4.1. Method Registry 3464 The "Hypertext Transfer Protocol (HTTP) Method Registry", maintained 3465 by IANA at , registers 3466 method names. 3468 HTTP method registrations MUST include the following fields: 3470 o Method Name (see Section 7) 3472 o Safe ("yes" or "no", see Section 7.2.1) 3474 o Idempotent ("yes" or "no", see Section 7.2.2) 3476 o Pointer to specification text 3478 Values to be added to this namespace require IETF Review (see 3479 [RFC8126], Section 4.8). 3481 7.4.2. Considerations for New Methods 3483 Standardized methods are generic; that is, they are potentially 3484 applicable to any resource, not just one particular media type, kind 3485 of resource, or application. As such, it is preferred that new 3486 methods be registered in a document that isn't specific to a single 3487 application or data format, since orthogonal technologies deserve 3488 orthogonal specification. 3490 Since message parsing (Section 6 of [Messaging]) needs to be 3491 independent of method semantics (aside from responses to HEAD), 3492 definitions of new methods cannot change the parsing algorithm or 3493 prohibit the presence of a message body on either the request or the 3494 response message. Definitions of new methods can specify that only a 3495 zero-length message body is allowed by requiring a Content-Length 3496 header field with a value of "0". 3498 A new method definition needs to indicate whether it is safe 3499 (Section 7.2.1), idempotent (Section 7.2.2), cacheable 3500 (Section 7.2.3), what semantics are to be associated with the payload 3501 body if any is present in the request and what refinements the method 3502 makes to header field or status code semantics. If the new method is 3503 cacheable, its definition ought to describe how, and under what 3504 conditions, a cache can store a response and use it to satisfy a 3505 subsequent request. The new method ought to describe whether it can 3506 be made conditional (Section 8.2) and, if so, how a server responds 3507 when the condition is false. Likewise, if the new method might have 3508 some use for partial response semantics (Section 8.3), it ought to 3509 document this, too. 3511 Note: Avoid defining a method name that starts with "M-", since 3512 that prefix might be misinterpreted as having the semantics 3513 assigned to it by [RFC2774]. 3515 8. Request Header Fields 3517 A client sends request header fields to provide more information 3518 about the request context, make the request conditional based on the 3519 target resource state, suggest preferred formats for the response, 3520 supply authentication credentials, or modify the expected request 3521 processing. These fields act as request modifiers, similar to the 3522 parameters on a programming language method invocation. 3524 8.1. Controls 3526 Controls are request header fields that direct specific handling of 3527 the request. 3529 +-------------------+----------------------------+ 3530 | Header Field Name | Defined in... | 3531 +-------------------+----------------------------+ 3532 | Cache-Control | Section 5.2 of [Caching] | 3533 | Expect | Section 8.1.1 | 3534 | Host | Section 5.4 | 3535 | Max-Forwards | Section 8.1.2 | 3536 | Pragma | Section 5.4 of [Caching] | 3537 | TE | Section 7.4 of [Messaging] | 3538 +-------------------+----------------------------+ 3540 8.1.1. Expect 3542 The "Expect" header field in a request indicates a certain set of 3543 behaviors (expectations) that need to be supported by the server in 3544 order to properly handle this request. The only such expectation 3545 defined by this specification is 100-continue. 3547 Expect = "100-continue" 3549 The Expect field-value is case-insensitive. 3551 A server that receives an Expect field-value other than 100-continue 3552 MAY respond with a 417 (Expectation Failed) status code to indicate 3553 that the unexpected expectation cannot be met. 3555 A 100-continue expectation informs recipients that the client is 3556 about to send a (presumably large) message body in this request and 3557 wishes to receive a 100 (Continue) interim response if the request- 3558 line and header fields are not sufficient to cause an immediate 3559 success, redirect, or error response. This allows the client to wait 3560 for an indication that it is worthwhile to send the message body 3561 before actually doing so, which can improve efficiency when the 3562 message body is huge or when the client anticipates that an error is 3563 likely (e.g., when sending a state-changing method, for the first 3564 time, without previously verified authentication credentials). 3566 For example, a request that begins with 3568 PUT /somewhere/fun HTTP/1.1 3569 Host: origin.example.com 3570 Content-Type: video/h264 3571 Content-Length: 1234567890987 3572 Expect: 100-continue 3574 allows the origin server to immediately respond with an error 3575 message, such as 401 (Unauthorized) or 405 (Method Not Allowed), 3576 before the client starts filling the pipes with an unnecessary data 3577 transfer. 3579 Requirements for clients: 3581 o A client MUST NOT generate a 100-continue expectation in a request 3582 that does not include a message body. 3584 o A client that will wait for a 100 (Continue) response before 3585 sending the request message body MUST send an Expect header field 3586 containing a 100-continue expectation. 3588 o A client that sends a 100-continue expectation is not required to 3589 wait for any specific length of time; such a client MAY proceed to 3590 send the message body even if it has not yet received a response. 3591 Furthermore, since 100 (Continue) responses cannot be sent through 3592 an HTTP/1.0 intermediary, such a client SHOULD NOT wait for an 3593 indefinite period before sending the message body. 3595 o A client that receives a 417 (Expectation Failed) status code in 3596 response to a request containing a 100-continue expectation SHOULD 3597 repeat that request without a 100-continue expectation, since the 3598 417 response merely indicates that the response chain does not 3599 support expectations (e.g., it passes through an HTTP/1.0 server). 3601 Requirements for servers: 3603 o A server that receives a 100-continue expectation in an HTTP/1.0 3604 request MUST ignore that expectation. 3606 o A server MAY omit sending a 100 (Continue) response if it has 3607 already received some or all of the message body for the 3608 corresponding request, or if the framing indicates that there is 3609 no message body. 3611 o A server that sends a 100 (Continue) response MUST ultimately send 3612 a final status code, once the message body is received and 3613 processed, unless the connection is closed prematurely. 3615 o A server that responds with a final status code before reading the 3616 entire request payload body SHOULD indicate whether it intends to 3617 close the connection (see Section 9.7 of [Messaging]) or continue 3618 reading the payload body. 3620 An origin server MUST, upon receiving an HTTP/1.1 (or later) request- 3621 line and a complete header section that contains a 100-continue 3622 expectation and indicates a request message body will follow, either 3623 send an immediate response with a final status code, if that status 3624 can be determined by examining just the request-line and header 3625 fields, or send an immediate 100 (Continue) response to encourage the 3626 client to send the request's message body. The origin server MUST 3627 NOT wait for the message body before sending the 100 (Continue) 3628 response. 3630 A proxy MUST, upon receiving an HTTP/1.1 (or later) request-line and 3631 a complete header section that contains a 100-continue expectation 3632 and indicates a request message body will follow, either send an 3633 immediate response with a final status code, if that status can be 3634 determined by examining just the request-line and header fields, or 3635 begin forwarding the request toward the origin server by sending a 3636 corresponding request-line and header section to the next inbound 3637 server. If the proxy believes (from configuration or past 3638 interaction) that the next inbound server only supports HTTP/1.0, the 3639 proxy MAY generate an immediate 100 (Continue) response to encourage 3640 the client to begin sending the message body. 3642 Note: The Expect header field was added after the original 3643 publication of HTTP/1.1 [RFC2068] as both the means to request an 3644 interim 100 (Continue) response and the general mechanism for 3645 indicating must-understand extensions. However, the extension 3646 mechanism has not been used by clients and the must-understand 3647 requirements have not been implemented by many servers, rendering 3648 the extension mechanism useless. This specification has removed 3649 the extension mechanism in order to simplify the definition and 3650 processing of 100-continue. 3652 8.1.2. Max-Forwards 3654 The "Max-Forwards" header field provides a mechanism with the TRACE 3655 (Section 7.3.8) and OPTIONS (Section 7.3.7) request methods to limit 3656 the number of times that the request is forwarded by proxies. This 3657 can be useful when the client is attempting to trace a request that 3658 appears to be failing or looping mid-chain. 3660 Max-Forwards = 1*DIGIT 3662 The Max-Forwards value is a decimal integer indicating the remaining 3663 number of times this request message can be forwarded. 3665 Each intermediary that receives a TRACE or OPTIONS request containing 3666 a Max-Forwards header field MUST check and update its value prior to 3667 forwarding the request. If the received value is zero (0), the 3668 intermediary MUST NOT forward the request; instead, the intermediary 3669 MUST respond as the final recipient. If the received Max-Forwards 3670 value is greater than zero, the intermediary MUST generate an updated 3671 Max-Forwards field in the forwarded message with a field-value that 3672 is the lesser of a) the received value decremented by one (1) or b) 3673 the recipient's maximum supported value for Max-Forwards. 3675 A recipient MAY ignore a Max-Forwards header field received with any 3676 other request methods. 3678 8.2. Preconditions 3680 A conditional request is an HTTP request with one or more request 3681 header fields that indicate a precondition to be tested before 3682 applying the request method to the target resource. Section 8.2.1 3683 defines when preconditions are applied. Section 8.2.2 defines the 3684 order of evaluation when more than one precondition is present. 3686 Conditional GET requests are the most efficient mechanism for HTTP 3687 cache updates [Caching]. Conditionals can also be applied to state- 3688 changing methods, such as PUT and DELETE, to prevent the "lost 3689 update" problem: one client accidentally overwriting the work of 3690 another client that has been acting in parallel. 3692 Conditional request preconditions are based on the state of the 3693 target resource as a whole (its current value set) or the state as 3694 observed in a previously obtained representation (one value in that 3695 set). A resource might have multiple current representations, each 3696 with its own observable state. The conditional request mechanisms 3697 assume that the mapping of requests to a "selected representation" 3698 (Section 6) will be consistent over time if the server intends to 3699 take advantage of conditionals. Regardless, if the mapping is 3700 inconsistent and the server is unable to select the appropriate 3701 representation, then no harm will result when the precondition 3702 evaluates to false. 3704 The following request header fields allow a client to place a 3705 precondition on the state of the target resource, so that the action 3706 corresponding to the method semantics will not be applied if the 3707 precondition evaluates to false. Each precondition defined by this 3708 specification consists of a comparison between a set of validators 3709 obtained from prior representations of the target resource to the 3710 current state of validators for the selected representation 3711 (Section 10.2). Hence, these preconditions evaluate whether the 3712 state of the target resource has changed since a given state known by 3713 the client. The effect of such an evaluation depends on the method 3714 semantics and choice of conditional, as defined in Section 8.2.1. 3716 +---------------------+---------------+ 3717 | Header Field Name | Defined in... | 3718 +---------------------+---------------+ 3719 | If-Match | Section 8.2.3 | 3720 | If-None-Match | Section 8.2.4 | 3721 | If-Modified-Since | Section 8.2.5 | 3722 | If-Unmodified-Since | Section 8.2.6 | 3723 | If-Range | Section 8.2.7 | 3724 +---------------------+---------------+ 3726 8.2.1. Evaluation 3728 Except when excluded below, a recipient cache or origin server MUST 3729 evaluate received request preconditions after it has successfully 3730 performed its normal request checks and just before it would perform 3731 the action associated with the request method. A server MUST ignore 3732 all received preconditions if its response to the same request 3733 without those conditions would have been a status code other than a 3734 2xx (Successful) or 412 (Precondition Failed). In other words, 3735 redirects and failures take precedence over the evaluation of 3736 preconditions in conditional requests. 3738 A server that is not the origin server for the target resource and 3739 cannot act as a cache for requests on the target resource MUST NOT 3740 evaluate the conditional request header fields defined by this 3741 specification, and it MUST forward them if the request is forwarded, 3742 since the generating client intends that they be evaluated by a 3743 server that can provide a current representation. Likewise, a server 3744 MUST ignore the conditional request header fields defined by this 3745 specification when received with a request method that does not 3746 involve the selection or modification of a selected representation, 3747 such as CONNECT, OPTIONS, or TRACE. 3749 Note that protocol extensions can modify the conditions under which 3750 revalidation is triggered. For example, the "immutable" cache 3751 directive (defined by [RFC8246]) instructs caches to forgo 3752 revalidation of fresh responses even when requested by the client. 3754 Conditional request header fields that are defined by extensions to 3755 HTTP might place conditions on all recipients, on the state of the 3756 target resource in general, or on a group of resources. For 3757 instance, the "If" header field in WebDAV can make a request 3758 conditional on various aspects of multiple resources, such as locks, 3759 if the recipient understands and implements that field ([RFC4918], 3760 Section 10.4). 3762 Although conditional request header fields are defined as being 3763 usable with the HEAD method (to keep HEAD's semantics consistent with 3764 those of GET), there is no point in sending a conditional HEAD 3765 because a successful response is around the same size as a 304 (Not 3766 Modified) response and more useful than a 412 (Precondition Failed) 3767 response. 3769 8.2.2. Precedence 3771 When more than one conditional request header field is present in a 3772 request, the order in which the fields are evaluated becomes 3773 important. In practice, the fields defined in this document are 3774 consistently implemented in a single, logical order, since "lost 3775 update" preconditions have more strict requirements than cache 3776 validation, a validated cache is more efficient than a partial 3777 response, and entity tags are presumed to be more accurate than date 3778 validators. 3780 A recipient cache or origin server MUST evaluate the request 3781 preconditions defined by this specification in the following order: 3783 1. When recipient is the origin server and If-Match is present, 3784 evaluate the If-Match precondition: 3786 * if true, continue to step 3 3788 * if false, respond 412 (Precondition Failed) unless it can be 3789 determined that the state-changing request has already 3790 succeeded (see Section 8.2.3) 3792 2. When recipient is the origin server, If-Match is not present, and 3793 If-Unmodified-Since is present, evaluate the If-Unmodified-Since 3794 precondition: 3796 * if true, continue to step 3 3798 * if false, respond 412 (Precondition Failed) unless it can be 3799 determined that the state-changing request has already 3800 succeeded (see Section 8.2.6) 3802 3. When If-None-Match is present, evaluate the If-None-Match 3803 precondition: 3805 * if true, continue to step 5 3807 * if false for GET/HEAD, respond 304 (Not Modified) 3809 * if false for other methods, respond 412 (Precondition Failed) 3811 4. When the method is GET or HEAD, If-None-Match is not present, and 3812 If-Modified-Since is present, evaluate the If-Modified-Since 3813 precondition: 3815 * if true, continue to step 5 3817 * if false, respond 304 (Not Modified) 3819 5. When the method is GET and both Range and If-Range are present, 3820 evaluate the If-Range precondition: 3822 * if the validator matches and the Range specification is 3823 applicable to the selected representation, respond 206 3824 (Partial Content) 3826 6. Otherwise, 3828 * all conditions are met, so perform the requested action and 3829 respond according to its success or failure. 3831 Any extension to HTTP/1.1 that defines additional conditional request 3832 header fields ought to define its own expectations regarding the 3833 order for evaluating such fields in relation to those defined in this 3834 document and other conditionals that might be found in practice. 3836 8.2.3. If-Match 3838 The "If-Match" header field makes the request method conditional on 3839 the recipient origin server either having at least one current 3840 representation of the target resource, when the field-value is "*", 3841 or having a current representation of the target resource that has an 3842 entity-tag matching a member of the list of entity-tags provided in 3843 the field-value. 3845 An origin server MUST use the strong comparison function when 3846 comparing entity-tags for If-Match (Section 10.2.3.2), since the 3847 client intends this precondition to prevent the method from being 3848 applied if there have been any changes to the representation data. 3850 If-Match = "*" / 1#entity-tag 3852 Examples: 3854 If-Match: "xyzzy" 3855 If-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" 3856 If-Match: * 3858 If-Match is most often used with state-changing methods (e.g., POST, 3859 PUT, DELETE) to prevent accidental overwrites when multiple user 3860 agents might be acting in parallel on the same resource (i.e., to 3861 prevent the "lost update" problem). It can also be used with safe 3862 methods to abort a request if the selected representation does not 3863 match one already stored (or partially stored) from a prior request. 3865 An origin server that receives an If-Match header field MUST evaluate 3866 the condition prior to performing the method (Section 8.2.1). If the 3867 field-value is "*", the condition is false if the origin server does 3868 not have a current representation for the target resource. If the 3869 field-value is a list of entity-tags, the condition is false if none 3870 of the listed tags match the entity-tag of the selected 3871 representation. 3873 An origin server MUST NOT perform the requested method if a received 3874 If-Match condition evaluates to false; instead, the origin server 3875 MUST respond with either a) the 412 (Precondition Failed) status code 3876 or b) one of the 2xx (Successful) status codes if the origin server 3877 has verified that a state change is being requested and the final 3878 state is already reflected in the current state of the target 3879 resource (i.e., the change requested by the user agent has already 3880 succeeded, but the user agent might not be aware of it, perhaps 3881 because the prior response was lost or a compatible change was made 3882 by some other user agent). In the latter case, the origin server 3883 MUST NOT send a validator header field in the response unless it can 3884 verify that the request is a duplicate of an immediately prior change 3885 made by the same user agent. 3887 The If-Match header field can be ignored by caches and intermediaries 3888 because it is not applicable to a stored response. 3890 8.2.4. If-None-Match 3892 The "If-None-Match" header field makes the request method conditional 3893 on a recipient cache or origin server either not having any current 3894 representation of the target resource, when the field-value is "*", 3895 or having a selected representation with an entity-tag that does not 3896 match any of those listed in the field-value. 3898 A recipient MUST use the weak comparison function when comparing 3899 entity-tags for If-None-Match (Section 10.2.3.2), since weak entity- 3900 tags can be used for cache validation even if there have been changes 3901 to the representation data. 3903 If-None-Match = "*" / 1#entity-tag 3905 Examples: 3907 If-None-Match: "xyzzy" 3908 If-None-Match: W/"xyzzy" 3909 If-None-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" 3910 If-None-Match: W/"xyzzy", W/"r2d2xxxx", W/"c3piozzzz" 3911 If-None-Match: * 3913 If-None-Match is primarily used in conditional GET requests to enable 3914 efficient updates of cached information with a minimum amount of 3915 transaction overhead. When a client desires to update one or more 3916 stored responses that have entity-tags, the client SHOULD generate an 3917 If-None-Match header field containing a list of those entity-tags 3918 when making a GET request; this allows recipient servers to send a 3919 304 (Not Modified) response to indicate when one of those stored 3920 responses matches the selected representation. 3922 If-None-Match can also be used with a value of "*" to prevent an 3923 unsafe request method (e.g., PUT) from inadvertently modifying an 3924 existing representation of the target resource when the client 3925 believes that the resource does not have a current representation 3926 (Section 7.2.1). This is a variation on the "lost update" problem 3927 that might arise if more than one client attempts to create an 3928 initial representation for the target resource. 3930 An origin server that receives an If-None-Match header field MUST 3931 evaluate the condition prior to performing the method 3932 (Section 8.2.1). If the field-value is "*", the condition is false 3933 if the origin server has a current representation for the target 3934 resource. If the field-value is a list of entity-tags, the condition 3935 is false if one of the listed tags match the entity-tag of the 3936 selected representation. 3938 An origin server MUST NOT perform the requested method if the 3939 condition evaluates to false; instead, the origin server MUST respond 3940 with either a) the 304 (Not Modified) status code if the request 3941 method is GET or HEAD or b) the 412 (Precondition Failed) status code 3942 for all other request methods. 3944 Requirements on cache handling of a received If-None-Match header 3945 field are defined in Section 4.3.2 of [Caching]. 3947 8.2.5. If-Modified-Since 3949 The "If-Modified-Since" header field makes a GET or HEAD request 3950 method conditional on the selected representation's modification date 3951 being more recent than the date provided in the field-value. 3952 Transfer of the selected representation's data is avoided if that 3953 data has not changed. 3955 If-Modified-Since = HTTP-date 3957 An example of the field is: 3959 If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT 3961 A recipient MUST ignore If-Modified-Since if the request contains an 3962 If-None-Match header field; the condition in If-None-Match is 3963 considered to be a more accurate replacement for the condition in If- 3964 Modified-Since, and the two are only combined for the sake of 3965 interoperating with older intermediaries that might not implement If- 3966 None-Match. 3968 A recipient MUST ignore the If-Modified-Since header field if the 3969 received field-value is not a valid HTTP-date, or if the request 3970 method is neither GET nor HEAD. 3972 A recipient MUST interpret an If-Modified-Since field-value's 3973 timestamp in terms of the origin server's clock. 3975 If-Modified-Since is typically used for two distinct purposes: 1) to 3976 allow efficient updates of a cached representation that does not have 3977 an entity-tag and 2) to limit the scope of a web traversal to 3978 resources that have recently changed. 3980 When used for cache updates, a cache will typically use the value of 3981 the cached message's Last-Modified field to generate the field value 3982 of If-Modified-Since. This behavior is most interoperable for cases 3983 where clocks are poorly synchronized or when the server has chosen to 3984 only honor exact timestamp matches (due to a problem with Last- 3985 Modified dates that appear to go "back in time" when the origin 3986 server's clock is corrected or a representation is restored from an 3987 archived backup). However, caches occasionally generate the field 3988 value based on other data, such as the Date header field of the 3989 cached message or the local clock time that the message was received, 3990 particularly when the cached message does not contain a Last-Modified 3991 field. 3993 When used for limiting the scope of retrieval to a recent time 3994 window, a user agent will generate an If-Modified-Since field value 3995 based on either its own local clock or a Date header field received 3996 from the server in a prior response. Origin servers that choose an 3997 exact timestamp match based on the selected representation's Last- 3998 Modified field will not be able to help the user agent limit its data 3999 transfers to only those changed during the specified window. 4001 An origin server that receives an If-Modified-Since header field 4002 SHOULD evaluate the condition prior to performing the method 4003 (Section 8.2.1). The origin server SHOULD NOT perform the requested 4004 method if the selected representation's last modification date is 4005 earlier than or equal to the date provided in the field-value; 4006 instead, the origin server SHOULD generate a 304 (Not Modified) 4007 response, including only those metadata that are useful for 4008 identifying or updating a previously cached response. 4010 Requirements on cache handling of a received If-Modified-Since header 4011 field are defined in Section 4.3.2 of [Caching]. 4013 8.2.6. If-Unmodified-Since 4015 The "If-Unmodified-Since" header field makes the request method 4016 conditional on the selected representation's last modification date 4017 being earlier than or equal to the date provided in the field-value. 4018 This field accomplishes the same purpose as If-Match for cases where 4019 the user agent does not have an entity-tag for the representation. 4021 If-Unmodified-Since = HTTP-date 4023 An example of the field is: 4025 If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT 4027 A recipient MUST ignore If-Unmodified-Since if the request contains 4028 an If-Match header field; the condition in If-Match is considered to 4029 be a more accurate replacement for the condition in If-Unmodified- 4030 Since, and the two are only combined for the sake of interoperating 4031 with older intermediaries that might not implement If-Match. 4033 A recipient MUST ignore the If-Unmodified-Since header field if the 4034 received field-value is not a valid HTTP-date. 4036 A recipient MUST interpret an If-Unmodified-Since field-value's 4037 timestamp in terms of the origin server's clock. 4039 If-Unmodified-Since is most often used with state-changing methods 4040 (e.g., POST, PUT, DELETE) to prevent accidental overwrites when 4041 multiple user agents might be acting in parallel on a resource that 4042 does not supply entity-tags with its representations (i.e., to 4043 prevent the "lost update" problem). It can also be used with safe 4044 methods to abort a request if the selected representation does not 4045 match one already stored (or partially stored) from a prior request. 4047 An origin server that receives an If-Unmodified-Since header field 4048 MUST evaluate the condition prior to performing the method 4049 (Section 8.2.1). The origin server MUST NOT perform the requested 4050 method if the selected representation's last modification date is 4051 more recent than the date provided in the field-value; instead the 4052 origin server MUST respond with either a) the 412 (Precondition 4053 Failed) status code or b) one of the 2xx (Successful) status codes if 4054 the origin server has verified that a state change is being requested 4055 and the final state is already reflected in the current state of the 4056 target resource (i.e., the change requested by the user agent has 4057 already succeeded, but the user agent might not be aware of that 4058 because the prior response message was lost or a compatible change 4059 was made by some other user agent). In the latter case, the origin 4060 server MUST NOT send a validator header field in the response unless 4061 it can verify that the request is a duplicate of an immediately prior 4062 change made by the same user agent. 4064 The If-Unmodified-Since header field can be ignored by caches and 4065 intermediaries because it is not applicable to a stored response. 4067 8.2.7. If-Range 4069 The "If-Range" header field provides a special conditional request 4070 mechanism that is similar to the If-Match and If-Unmodified-Since 4071 header fields but that instructs the recipient to ignore the Range 4072 header field if the validator doesn't match, resulting in transfer of 4073 the new selected representation instead of a 412 (Precondition 4074 Failed) response. 4076 If a client has a partial copy of a representation and wishes to have 4077 an up-to-date copy of the entire representation, it could use the 4078 Range header field with a conditional GET (using either or both of 4079 If-Unmodified-Since and If-Match.) However, if the precondition 4080 fails because the representation has been modified, the client would 4081 then have to make a second request to obtain the entire current 4082 representation. 4084 The "If-Range" header field allows a client to "short-circuit" the 4085 second request. Informally, its meaning is as follows: if the 4086 representation is unchanged, send me the part(s) that I am requesting 4087 in Range; otherwise, send me the entire representation. 4089 If-Range = entity-tag / HTTP-date 4091 A client MUST NOT generate an If-Range header field in a request that 4092 does not contain a Range header field. A server MUST ignore an If- 4093 Range header field received in a request that does not contain a 4094 Range header field. An origin server MUST ignore an If-Range header 4095 field received in a request for a target resource that does not 4096 support Range requests. 4098 A client MUST NOT generate an If-Range header field containing an 4099 entity-tag that is marked as weak. A client MUST NOT generate an If- 4100 Range header field containing an HTTP-date unless the client has no 4101 entity-tag for the corresponding representation and the date is a 4102 strong validator in the sense defined by Section 10.2.2.2. 4104 A server that evaluates an If-Range precondition MUST use the strong 4105 comparison function when comparing entity-tags (Section 10.2.3.2) and 4106 MUST evaluate the condition as false if an HTTP-date validator is 4107 provided that is not a strong validator in the sense defined by 4108 Section 10.2.2.2. A valid entity-tag can be distinguished from a 4109 valid HTTP-date by examining the first two characters for a DQUOTE. 4111 If the validator given in the If-Range header field matches the 4112 current validator for the selected representation of the target 4113 resource, then the server SHOULD process the Range header field as 4114 requested. If the validator does not match, the server MUST ignore 4115 the Range header field. Note that this comparison by exact match, 4116 including when the validator is an HTTP-date, differs from the 4117 "earlier than or equal to" comparison used when evaluating an If- 4118 Unmodified-Since conditional. 4120 8.3. Range 4122 The "Range" header field on a GET request modifies the method 4123 semantics to request transfer of only one or more subranges of the 4124 selected representation data, rather than the entire selected 4125 representation data. 4127 Range = byte-ranges-specifier / other-ranges-specifier 4128 other-ranges-specifier = other-range-unit "=" other-range-set 4129 other-range-set = 1*VCHAR 4131 Clients often encounter interrupted data transfers as a result of 4132 canceled requests or dropped connections. When a client has stored a 4133 partial representation, it is desirable to request the remainder of 4134 that representation in a subsequent request rather than transfer the 4135 entire representation. Likewise, devices with limited local storage 4136 might benefit from being able to request only a subset of a larger 4137 representation, such as a single page of a very large document, or 4138 the dimensions of an embedded image. 4140 Range requests are an OPTIONAL feature of HTTP, designed so that 4141 recipients not implementing this feature (or not supporting it for 4142 the target resource) can respond as if it is a normal GET request 4143 without impacting interoperability. Partial responses are indicated 4144 by a distinct status code to not be mistaken for full responses by 4145 caches that might not implement the feature. 4147 A server MAY ignore the Range header field. However, origin servers 4148 and intermediate caches ought to support byte ranges when possible, 4149 since Range supports efficient recovery from partially failed 4150 transfers and partial retrieval of large representations. A server 4151 MUST ignore a Range header field received with a request method other 4152 than GET. 4154 Although the range request mechanism is designed to allow for 4155 extensible range types, this specification only defines requests for 4156 byte ranges. 4158 An origin server MUST ignore a Range header field that contains a 4159 range unit it does not understand. A proxy MAY discard a Range 4160 header field that contains a range unit it does not understand. 4162 A server that supports range requests MAY ignore or reject a Range 4163 header field that consists of more than two overlapping ranges, or a 4164 set of many small ranges that are not listed in ascending order, 4165 since both are indications of either a broken client or a deliberate 4166 denial-of-service attack (Section 12.13). A client SHOULD NOT 4167 request multiple ranges that are inherently less efficient to process 4168 and transfer than a single range that encompasses the same data. 4170 A client that is requesting multiple ranges SHOULD list those ranges 4171 in ascending order (the order in which they would typically be 4172 received in a complete representation) unless there is a specific 4173 need to request a later part earlier. For example, a user agent 4174 processing a large representation with an internal catalog of parts 4175 might need to request later parts first, particularly if the 4176 representation consists of pages stored in reverse order and the user 4177 agent wishes to transfer one page at a time. 4179 The Range header field is evaluated after evaluating the precondition 4180 header fields defined in Section 8.2, and only if the result in 4181 absence of the Range header field would be a 200 (OK) response. In 4182 other words, Range is ignored when a conditional GET would result in 4183 a 304 (Not Modified) response. 4185 The If-Range header field (Section 8.2.7) can be used as a 4186 precondition to applying the Range header field. 4188 If all of the preconditions are true, the server supports the Range 4189 header field for the target resource, and the specified range(s) are 4190 valid and satisfiable (as defined in Section 6.1.4.1), the server 4191 SHOULD send a 206 (Partial Content) response with a payload 4192 containing one or more partial representations that correspond to the 4193 satisfiable ranges requested. 4195 If all of the preconditions are true, the server supports the Range 4196 header field for the target resource, and the specified range(s) are 4197 invalid or unsatisfiable, the server SHOULD send a 416 (Range Not 4198 Satisfiable) response. 4200 8.4. Content Negotiation 4202 The following request header fields are sent by a user agent to 4203 engage in proactive negotiation of the response content, as defined 4204 in Section 6.4.1. The preferences sent in these fields apply to any 4205 content in the response, including representations of the target 4206 resource, representations of error or processing status, and 4207 potentially even the miscellaneous text strings that might appear 4208 within the protocol. 4210 +-------------------+---------------+ 4211 | Header Field Name | Defined in... | 4212 +-------------------+---------------+ 4213 | Accept | Section 8.4.2 | 4214 | Accept-Charset | Section 8.4.3 | 4215 | Accept-Encoding | Section 8.4.4 | 4216 | Accept-Language | Section 8.4.5 | 4217 +-------------------+---------------+ 4219 For each of these header fields, a request that does not contain it 4220 implies that the user agent has no preference on that axis of 4221 negotiation. If the header field is present in a request and none of 4222 the available representations for the response can be considered 4223 acceptable according to it, the origin server can either honor the 4224 header field by sending a 406 (Not Acceptable) response or disregard 4225 the header field by treating the response as if it is not subject to 4226 content negotiation for that request header field. This does not 4227 imply, however, that the client will be able to use the 4228 representation. 4230 Note: Sending these header fields makes it easier for a server to 4231 identify an individual by virtue of the user agent's request 4232 characteristics (Section 12.11). 4234 Each of these header fields defines a wildcard value (often, "*") to 4235 select unspecified values. If no wildcard is present, all values not 4236 explicitly mentioned in the field are considered "not acceptable" to 4237 the client. 4239 Note: In practice, using wildcards in content negotiation has limited 4240 practical value, because it is seldom useful to say, for example, "I 4241 prefer image/* more or less than (some other specific value)". 4242 Clients can explicitly request a 406 (Not Acceptable) response if a 4243 more preferred format is not available by sending Accept: */*;q=0, 4244 but they still need to be able to handle a different response, since 4245 the server is allowed to ignore their preference. 4247 8.4.1. Quality Values 4249 Many of the request header fields for proactive negotiation use a 4250 common parameter, named "q" (case-insensitive), to assign a relative 4251 "weight" to the preference for that associated kind of content. This 4252 weight is referred to as a "quality value" (or "qvalue") because the 4253 same parameter name is often used within server configurations to 4254 assign a weight to the relative quality of the various 4255 representations that can be selected for a resource. 4257 The weight is normalized to a real number in the range 0 through 1, 4258 where 0.001 is the least preferred and 1 is the most preferred; a 4259 value of 0 means "not acceptable". If no "q" parameter is present, 4260 the default weight is 1. 4262 weight = OWS ";" OWS "q=" qvalue 4263 qvalue = ( "0" [ "." 0*3DIGIT ] ) 4264 / ( "1" [ "." 0*3("0") ] ) 4266 A sender of qvalue MUST NOT generate more than three digits after the 4267 decimal point. User configuration of these values ought to be 4268 limited in the same fashion. 4270 8.4.2. Accept 4272 The "Accept" header field can be used by user agents to specify their 4273 preferences regarding response media types. For example, Accept 4274 header fields can be used to indicate that the request is 4275 specifically limited to a small set of desired types, as in the case 4276 of a request for an in-line image. 4278 Accept = #( media-range [ accept-params ] ) 4280 media-range = ( "*/*" 4281 / ( type "/" "*" ) 4282 / ( type "/" subtype ) 4283 ) *( OWS ";" OWS parameter ) 4284 accept-params = weight *( accept-ext ) 4285 accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] 4287 The asterisk "*" character is used to group media types into ranges, 4288 with "*/*" indicating all media types and "type/*" indicating all 4289 subtypes of that type. The media-range can include media type 4290 parameters that are applicable to that range. 4292 Each media-range might be followed by zero or more applicable media 4293 type parameters (e.g., charset), an optional "q" parameter for 4294 indicating a relative weight (Section 8.4.1), and then zero or more 4295 extension parameters. The "q" parameter is necessary if any 4296 extensions (accept-ext) are present, since it acts as a separator 4297 between the two parameter sets. 4299 Note: Use of the "q" parameter name to separate media type 4300 parameters from Accept extension parameters is due to historical 4301 practice. Although this prevents any media type parameter named 4302 "q" from being used with a media range, such an event is believed 4303 to be unlikely given the lack of any "q" parameters in the IANA 4304 media type registry and the rare usage of any media type 4305 parameters in Accept. Future media types are discouraged from 4306 registering any parameter named "q". 4308 The example 4310 Accept: audio/*; q=0.2, audio/basic 4312 is interpreted as "I prefer audio/basic, but send me any audio type 4313 if it is the best available after an 80% markdown in quality". 4315 A more elaborate example is 4317 Accept: text/plain; q=0.5, text/html, 4318 text/x-dvi; q=0.8, text/x-c 4320 Verbally, this would be interpreted as "text/html and text/x-c are 4321 the equally preferred media types, but if they do not exist, then 4322 send the text/x-dvi representation, and if that does not exist, send 4323 the text/plain representation". 4325 Media ranges can be overridden by more specific media ranges or 4326 specific media types. If more than one media range applies to a 4327 given type, the most specific reference has precedence. For example, 4329 Accept: text/*, text/plain, text/plain;format=flowed, */* 4331 have the following precedence: 4333 1. text/plain;format=flowed 4335 2. text/plain 4337 3. text/* 4339 4. */* 4341 The media type quality factor associated with a given type is 4342 determined by finding the media range with the highest precedence 4343 that matches the type. For example, 4345 Accept: text/*;q=0.3, text/html;q=0.7, text/html;level=1, 4346 text/html;level=2;q=0.4, */*;q=0.5 4348 would cause the following values to be associated: 4350 +-------------------+---------------+ 4351 | Media Type | Quality Value | 4352 +-------------------+---------------+ 4353 | text/html;level=1 | 1 | 4354 | text/html | 0.7 | 4355 | text/plain | 0.3 | 4356 | image/jpeg | 0.5 | 4357 | text/html;level=2 | 0.4 | 4358 | text/html;level=3 | 0.7 | 4359 +-------------------+---------------+ 4361 Note: A user agent might be provided with a default set of quality 4362 values for certain media ranges. However, unless the user agent is a 4363 closed system that cannot interact with other rendering agents, this 4364 default set ought to be configurable by the user. 4366 8.4.3. Accept-Charset 4368 The "Accept-Charset" header field can be sent by a user agent to 4369 indicate its preferences for charsets in textual response content. 4370 For example, this field allows user agents capable of understanding 4371 more comprehensive or special-purpose charsets to signal that 4372 capability to an origin server that is capable of representing 4373 information in those charsets. 4375 Accept-Charset = 1#( ( charset / "*" ) [ weight ] ) 4377 Charset names are defined in Section 6.1.1.1. A user agent MAY 4378 associate a quality value with each charset to indicate the user's 4379 relative preference for that charset, as defined in Section 8.4.1. 4380 An example is 4382 Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 4384 The special value "*", if present in the Accept-Charset field, 4385 matches every charset that is not mentioned elsewhere in the Accept- 4386 Charset field. 4388 Note: Accept-Charset is deprecated because UTF-8 has become nearly 4389 ubiquitous and sending a detailed list of user-preferred charsets 4390 wastes bandwidth, increases latency, and makes passive fingerprinting 4391 far too easy (Section 12.11). Most general-purpose user agents do 4392 not send Accept-Charset, unless specifically configured to do so. 4394 8.4.4. Accept-Encoding 4396 The "Accept-Encoding" header field can be used by user agents to 4397 indicate their preferences regarding response content-codings 4398 (Section 6.1.2). An "identity" token is used as a synonym for "no 4399 encoding" in order to communicate when no encoding is preferred. 4401 Accept-Encoding = #( codings [ weight ] ) 4402 codings = content-coding / "identity" / "*" 4404 Each codings value MAY be given an associated quality value 4405 representing the preference for that encoding, as defined in 4406 Section 8.4.1. The asterisk "*" symbol in an Accept-Encoding field 4407 matches any available content-coding not explicitly listed in the 4408 header field. 4410 For example, 4412 Accept-Encoding: compress, gzip 4413 Accept-Encoding: 4414 Accept-Encoding: * 4415 Accept-Encoding: compress;q=0.5, gzip;q=1.0 4416 Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0 4418 A server tests whether a content-coding for a given representation is 4419 acceptable using these rules: 4421 1. If no Accept-Encoding field is in the request, any content-coding 4422 is considered acceptable by the user agent. 4424 2. If the representation has no content-coding, then it is 4425 acceptable by default unless specifically excluded by the Accept- 4426 Encoding field stating either "identity;q=0" or "*;q=0" without a 4427 more specific entry for "identity". 4429 3. If the representation's content-coding is one of the content- 4430 codings listed in the Accept-Encoding field, then it is 4431 acceptable unless it is accompanied by a qvalue of 0. (As 4432 defined in Section 8.4.1, a qvalue of 0 means "not acceptable".) 4434 4. If multiple content-codings are acceptable, then the acceptable 4435 content-coding with the highest non-zero qvalue is preferred. 4437 An Accept-Encoding header field with a combined field-value that is 4438 empty implies that the user agent does not want any content-coding in 4439 response. If an Accept-Encoding header field is present in a request 4440 and none of the available representations for the response have a 4441 content-coding that is listed as acceptable, the origin server SHOULD 4442 send a response without any content-coding. 4444 Note: Most HTTP/1.0 applications do not recognize or obey qvalues 4445 associated with content-codings. This means that qvalues might 4446 not work and are not permitted with x-gzip or x-compress. 4448 8.4.5. Accept-Language 4450 The "Accept-Language" header field can be used by user agents to 4451 indicate the set of natural languages that are preferred in the 4452 response. Language tags are defined in Section 6.1.3. 4454 Accept-Language = 1#( language-range [ weight ] ) 4455 language-range = 4456 4458 Each language-range can be given an associated quality value 4459 representing an estimate of the user's preference for the languages 4460 specified by that range, as defined in Section 8.4.1. For example, 4462 Accept-Language: da, en-gb;q=0.8, en;q=0.7 4464 would mean: "I prefer Danish, but will accept British English and 4465 other types of English". 4467 Note that some recipients treat the order in which language tags are 4468 listed as an indication of descending priority, particularly for tags 4469 that are assigned equal quality values (no value is the same as q=1). 4470 However, this behavior cannot be relied upon. For consistency and to 4471 maximize interoperability, many user agents assign each language tag 4472 a unique quality value while also listing them in order of decreasing 4473 quality. Additional discussion of language priority lists can be 4474 found in Section 2.3 of [RFC4647]. 4476 For matching, Section 3 of [RFC4647] defines several matching 4477 schemes. Implementations can offer the most appropriate matching 4478 scheme for their requirements. The "Basic Filtering" scheme 4479 ([RFC4647], Section 3.3.1) is identical to the matching scheme that 4480 was previously defined for HTTP in Section 14.4 of [RFC2616]. 4482 It might be contrary to the privacy expectations of the user to send 4483 an Accept-Language header field with the complete linguistic 4484 preferences of the user in every request (Section 12.11). 4486 Since intelligibility is highly dependent on the individual user, 4487 user agents need to allow user control over the linguistic preference 4488 (either through configuration of the user agent itself or by 4489 defaulting to a user controllable system setting). A user agent that 4490 does not provide such control to the user MUST NOT send an Accept- 4491 Language header field. 4493 Note: User agents ought to provide guidance to users when setting 4494 a preference, since users are rarely familiar with the details of 4495 language matching as described above. For example, users might 4496 assume that on selecting "en-gb", they will be served any kind of 4497 English document if British English is not available. A user 4498 agent might suggest, in such a case, to add "en" to the list for 4499 better matching behavior. 4501 8.5. Authentication Credentials 4503 HTTP provides a general framework for access control and 4504 authentication, via an extensible set of challenge-response 4505 authentication schemes, which can be used by a server to challenge a 4506 client request and by a client to provide authentication information. 4508 Two header fields are used for carrying authentication credentials. 4509 Note that various custom mechanisms for user authentication use the 4510 Cookie header field for this purpose, as defined in [RFC6265]. 4512 +---------------------+---------------+ 4513 | Header Field Name | Defined in... | 4514 +---------------------+---------------+ 4515 | Authorization | Section 8.5.3 | 4516 | Proxy-Authorization | Section 8.5.4 | 4517 +---------------------+---------------+ 4519 8.5.1. Challenge and Response 4521 HTTP provides a simple challenge-response authentication framework 4522 that can be used by a server to challenge a client request and by a 4523 client to provide authentication information. It uses a case- 4524 insensitive token as a means to identify the authentication scheme, 4525 followed by additional information necessary for achieving 4526 authentication via that scheme. The latter can be either a comma- 4527 separated list of parameters or a single sequence of characters 4528 capable of holding base64-encoded information. 4530 Authentication parameters are name=value pairs, where the name token 4531 is matched case-insensitively, and each parameter name MUST only 4532 occur once per challenge. 4534 auth-scheme = token 4536 auth-param = token BWS "=" BWS ( token / quoted-string ) 4538 token68 = 1*( ALPHA / DIGIT / 4539 "-" / "." / "_" / "~" / "+" / "/" ) *"=" 4541 The token68 syntax allows the 66 unreserved URI characters 4542 ([RFC3986]), plus a few others, so that it can hold a base64, 4543 base64url (URL and filename safe alphabet), base32, or base16 (hex) 4544 encoding, with or without padding, but excluding whitespace 4545 ([RFC4648]). 4547 A 401 (Unauthorized) response message is used by an origin server to 4548 challenge the authorization of a user agent, including a WWW- 4549 Authenticate header field containing at least one challenge 4550 applicable to the requested resource. 4552 A 407 (Proxy Authentication Required) response message is used by a 4553 proxy to challenge the authorization of a client, including a Proxy- 4554 Authenticate header field containing at least one challenge 4555 applicable to the proxy for the requested resource. 4557 challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] 4559 Note: Many clients fail to parse a challenge that contains an 4560 unknown scheme. A workaround for this problem is to list well- 4561 supported schemes (such as "basic") first. 4563 A user agent that wishes to authenticate itself with an origin server 4564 -- usually, but not necessarily, after receiving a 401 (Unauthorized) 4565 -- can do so by including an Authorization header field with the 4566 request. 4568 A client that wishes to authenticate itself with a proxy -- usually, 4569 but not necessarily, after receiving a 407 (Proxy Authentication 4570 Required) -- can do so by including a Proxy-Authorization header 4571 field with the request. 4573 Both the Authorization field value and the Proxy-Authorization field 4574 value contain the client's credentials for the realm of the resource 4575 being requested, based upon a challenge received in a response 4576 (possibly at some point in the past). When creating their values, 4577 the user agent ought to do so by selecting the challenge with what it 4578 considers to be the most secure auth-scheme that it understands, 4579 obtaining credentials from the user as appropriate. Transmission of 4580 credentials within header field values implies significant security 4581 considerations regarding the confidentiality of the underlying 4582 connection, as described in Section 12.14.1. 4584 credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ] 4586 Upon receipt of a request for a protected resource that omits 4587 credentials, contains invalid credentials (e.g., a bad password) or 4588 partial credentials (e.g., when the authentication scheme requires 4589 more than one round trip), an origin server SHOULD send a 401 4590 (Unauthorized) response that contains a WWW-Authenticate header field 4591 with at least one (possibly new) challenge applicable to the 4592 requested resource. 4594 Likewise, upon receipt of a request that omits proxy credentials or 4595 contains invalid or partial proxy credentials, a proxy that requires 4596 authentication SHOULD generate a 407 (Proxy Authentication Required) 4597 response that contains a Proxy-Authenticate header field with at 4598 least one (possibly new) challenge applicable to the proxy. 4600 A server that receives valid credentials that are not adequate to 4601 gain access ought to respond with the 403 (Forbidden) status code 4602 (Section 9.5.4). 4604 HTTP does not restrict applications to this simple challenge-response 4605 framework for access authentication. Additional mechanisms can be 4606 used, such as authentication at the transport level or via message 4607 encapsulation, and with additional header fields specifying 4608 authentication information. However, such additional mechanisms are 4609 not defined by this specification. 4611 8.5.2. Protection Space (Realm) 4613 The "realm" authentication parameter is reserved for use by 4614 authentication schemes that wish to indicate a scope of protection. 4616 A protection space is defined by the canonical root URI (the scheme 4617 and authority components of the effective request URI; see 4618 Section 5.3) of the server being accessed, in combination with the 4619 realm value if present. These realms allow the protected resources 4620 on a server to be partitioned into a set of protection spaces, each 4621 with its own authentication scheme and/or authorization database. 4622 The realm value is a string, generally assigned by the origin server, 4623 that can have additional semantics specific to the authentication 4624 scheme. Note that a response can have multiple challenges with the 4625 same auth-scheme but with different realms. 4627 The protection space determines the domain over which credentials can 4628 be automatically applied. If a prior request has been authorized, 4629 the user agent MAY reuse the same credentials for all other requests 4630 within that protection space for a period of time determined by the 4631 authentication scheme, parameters, and/or user preferences (such as a 4632 configurable inactivity timeout). Unless specifically allowed by the 4633 authentication scheme, a single protection space cannot extend 4634 outside the scope of its server. 4636 For historical reasons, a sender MUST only generate the quoted-string 4637 syntax. Recipients might have to support both token and quoted- 4638 string syntax for maximum interoperability with existing clients that 4639 have been accepting both notations for a long time. 4641 8.5.3. Authorization 4643 The "Authorization" header field allows a user agent to authenticate 4644 itself with an origin server -- usually, but not necessarily, after 4645 receiving a 401 (Unauthorized) response. Its value consists of 4646 credentials containing the authentication information of the user 4647 agent for the realm of the resource being requested. 4649 Authorization = credentials 4651 If a request is authenticated and a realm specified, the same 4652 credentials are presumed to be valid for all other requests within 4653 this realm (assuming that the authentication scheme itself does not 4654 require otherwise, such as credentials that vary according to a 4655 challenge value or using synchronized clocks). 4657 A proxy forwarding a request MUST NOT modify any Authorization fields 4658 in that request. See Section 3.2 of [Caching] for details of and 4659 requirements pertaining to handling of the Authorization field by 4660 HTTP caches. 4662 8.5.4. Proxy-Authorization 4664 The "Proxy-Authorization" header field allows the client to identify 4665 itself (or its user) to a proxy that requires authentication. Its 4666 value consists of credentials containing the authentication 4667 information of the client for the proxy and/or realm of the resource 4668 being requested. 4670 Proxy-Authorization = credentials 4672 Unlike Authorization, the Proxy-Authorization header field applies 4673 only to the next inbound proxy that demanded authentication using the 4674 Proxy-Authenticate field. When multiple proxies are used in a chain, 4675 the Proxy-Authorization header field is consumed by the first inbound 4676 proxy that was expecting to receive credentials. A proxy MAY relay 4677 the credentials from the client request to the next proxy if that is 4678 the mechanism by which the proxies cooperatively authenticate a given 4679 request. 4681 8.5.5. Authentication Scheme Extensibility 4683 Aside from the general framework, this document does not specify any 4684 authentication schemes. New and existing authentication schemes are 4685 specified independently and ought to be registered within the 4686 "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry". 4687 For example, the "basic" and "digest" authentication schemes are 4688 defined by RFC 7617 and RFC 7616, respectively. 4690 8.5.5.1. Authentication Scheme Registry 4692 The "Hypertext Transfer Protocol (HTTP) Authentication Scheme 4693 Registry" defines the namespace for the authentication schemes in 4694 challenges and credentials. It is maintained at 4695 . 4697 Registrations MUST include the following fields: 4699 o Authentication Scheme Name 4701 o Pointer to specification text 4703 o Notes (optional) 4705 Values to be added to this namespace require IETF Review (see 4706 [RFC8126], Section 4.8). 4708 8.5.5.2. Considerations for New Authentication Schemes 4710 There are certain aspects of the HTTP Authentication framework that 4711 put constraints on how new authentication schemes can work: 4713 o HTTP authentication is presumed to be stateless: all of the 4714 information necessary to authenticate a request MUST be provided 4715 in the request, rather than be dependent on the server remembering 4716 prior requests. Authentication based on, or bound to, the 4717 underlying connection is outside the scope of this specification 4718 and inherently flawed unless steps are taken to ensure that the 4719 connection cannot be used by any party other than the 4720 authenticated user (see Section 2.2). 4722 o The authentication parameter "realm" is reserved for defining 4723 protection spaces as described in Section 8.5.2. New schemes MUST 4724 NOT use it in a way incompatible with that definition. 4726 o The "token68" notation was introduced for compatibility with 4727 existing authentication schemes and can only be used once per 4728 challenge or credential. Thus, new schemes ought to use the auth- 4729 param syntax instead, because otherwise future extensions will be 4730 impossible. 4732 o The parsing of challenges and credentials is defined by this 4733 specification and cannot be modified by new authentication 4734 schemes. When the auth-param syntax is used, all parameters ought 4735 to support both token and quoted-string syntax, and syntactical 4736 constraints ought to be defined on the field value after parsing 4737 (i.e., quoted-string processing). This is necessary so that 4738 recipients can use a generic parser that applies to all 4739 authentication schemes. 4741 Note: The fact that the value syntax for the "realm" parameter is 4742 restricted to quoted-string was a bad design choice not to be 4743 repeated for new parameters. 4745 o Definitions of new schemes ought to define the treatment of 4746 unknown extension parameters. In general, a "must-ignore" rule is 4747 preferable to a "must-understand" rule, because otherwise it will 4748 be hard to introduce new parameters in the presence of legacy 4749 recipients. Furthermore, it's good to describe the policy for 4750 defining new parameters (such as "update the specification" or 4751 "use this registry"). 4753 o Authentication schemes need to document whether they are usable in 4754 origin-server authentication (i.e., using WWW-Authenticate), and/ 4755 or proxy authentication (i.e., using Proxy-Authenticate). 4757 o The credentials carried in an Authorization header field are 4758 specific to the user agent and, therefore, have the same effect on 4759 HTTP caches as the "private" Cache-Control response directive 4760 (Section 5.2.2.6 of [Caching]), within the scope of the request in 4761 which they appear. 4763 Therefore, new authentication schemes that choose not to carry 4764 credentials in the Authorization header field (e.g., using a newly 4765 defined header field) will need to explicitly disallow caching, by 4766 mandating the use of Cache-Control response directives (e.g., 4767 "private"). 4769 o Schemes using Authentication-Info, Proxy-Authentication-Info, or 4770 any other authentication related response header field need to 4771 consider and document the related security considerations (see 4772 Section 12.14.4). 4774 8.6. Request Context 4776 The following request header fields provide additional information 4777 about the request context, including information about the user, user 4778 agent, and resource behind the request. 4780 +-------------------+---------------+ 4781 | Header Field Name | Defined in... | 4782 +-------------------+---------------+ 4783 | From | Section 8.6.1 | 4784 | Referer | Section 8.6.2 | 4785 | User-Agent | Section 8.6.3 | 4786 +-------------------+---------------+ 4788 8.6.1. From 4790 The "From" header field contains an Internet email address for a 4791 human user who controls the requesting user agent. The address ought 4792 to be machine-usable, as defined by "mailbox" in Section 3.4 of 4793 [RFC5322]: 4795 From = mailbox 4797 mailbox = 4799 An example is: 4801 From: webmaster@example.org 4803 The From header field is rarely sent by non-robotic user agents. A 4804 user agent SHOULD NOT send a From header field without explicit 4805 configuration by the user, since that might conflict with the user's 4806 privacy interests or their site's security policy. 4808 A robotic user agent SHOULD send a valid From header field so that 4809 the person responsible for running the robot can be contacted if 4810 problems occur on servers, such as if the robot is sending excessive, 4811 unwanted, or invalid requests. 4813 A server SHOULD NOT use the From header field for access control or 4814 authentication, since most recipients will assume that the field 4815 value is public information. 4817 8.6.2. Referer 4819 The "Referer" [sic] header field allows the user agent to specify a 4820 URI reference for the resource from which the target URI was obtained 4821 (i.e., the "referrer", though the field name is misspelled). A user 4822 agent MUST NOT include the fragment and userinfo components of the 4823 URI reference [RFC3986], if any, when generating the Referer field 4824 value. 4826 Referer = absolute-URI / partial-URI 4828 The Referer header field allows servers to generate back-links to 4829 other resources for simple analytics, logging, optimized caching, 4830 etc. It also allows obsolete or mistyped links to be found for 4831 maintenance. Some servers use the Referer header field as a means of 4832 denying links from other sites (so-called "deep linking") or 4833 restricting cross-site request forgery (CSRF), but not all requests 4834 contain it. 4836 Example: 4838 Referer: http://www.example.org/hypertext/Overview.html 4840 If the target URI was obtained from a source that does not have its 4841 own URI (e.g., input from the user keyboard, or an entry within the 4842 user's bookmarks/favorites), the user agent MUST either exclude the 4843 Referer field or send it with a value of "about:blank". 4845 The Referer field has the potential to reveal information about the 4846 request context or browsing history of the user, which is a privacy 4847 concern if the referring resource's identifier reveals personal 4848 information (such as an account name) or a resource that is supposed 4849 to be confidential (such as behind a firewall or internal to a 4850 secured service). Most general-purpose user agents do not send the 4851 Referer header field when the referring resource is a local "file" or 4852 "data" URI. A user agent MUST NOT send a Referer header field in an 4853 unsecured HTTP request if the referring page was received with a 4854 secure protocol. See Section 12.8 for additional security 4855 considerations. 4857 Some intermediaries have been known to indiscriminately remove 4858 Referer header fields from outgoing requests. This has the 4859 unfortunate side effect of interfering with protection against CSRF 4860 attacks, which can be far more harmful to their users. 4861 Intermediaries and user agent extensions that wish to limit 4862 information disclosure in Referer ought to restrict their changes to 4863 specific edits, such as replacing internal domain names with 4864 pseudonyms or truncating the query and/or path components. An 4865 intermediary SHOULD NOT modify or delete the Referer header field 4866 when the field value shares the same scheme and host as the request 4867 target. 4869 8.6.3. User-Agent 4871 The "User-Agent" header field contains information about the user 4872 agent originating the request, which is often used by servers to help 4873 identify the scope of reported interoperability problems, to work 4874 around or tailor responses to avoid particular user agent 4875 limitations, and for analytics regarding browser or operating system 4876 use. A user agent SHOULD send a User-Agent field in each request 4877 unless specifically configured not to do so. 4879 User-Agent = product *( RWS ( product / comment ) ) 4881 The User-Agent field-value consists of one or more product 4882 identifiers, each followed by zero or more comments (Section 5 of 4883 [Messaging]), which together identify the user agent software and its 4884 significant subproducts. By convention, the product identifiers are 4885 listed in decreasing order of their significance for identifying the 4886 user agent software. Each product identifier consists of a name and 4887 optional version. 4889 product = token ["/" product-version] 4890 product-version = token 4892 A sender SHOULD limit generated product identifiers to what is 4893 necessary to identify the product; a sender MUST NOT generate 4894 advertising or other nonessential information within the product 4895 identifier. A sender SHOULD NOT generate information in product- 4896 version that is not a version identifier (i.e., successive versions 4897 of the same product name ought to differ only in the product-version 4898 portion of the product identifier). 4900 Example: 4902 User-Agent: CERN-LineMode/2.15 libwww/2.17b3 4904 A user agent SHOULD NOT generate a User-Agent field containing 4905 needlessly fine-grained detail and SHOULD limit the addition of 4906 subproducts by third parties. Overly long and detailed User-Agent 4907 field values increase request latency and the risk of a user being 4908 identified against their wishes ("fingerprinting"). 4910 Likewise, implementations are encouraged not to use the product 4911 tokens of other implementations in order to declare compatibility 4912 with them, as this circumvents the purpose of the field. If a user 4913 agent masquerades as a different user agent, recipients can assume 4914 that the user intentionally desires to see responses tailored for 4915 that identified user agent, even if they might not work as well for 4916 the actual user agent being used. 4918 9. Response Status Codes 4920 The (response) status code is a three-digit integer code giving the 4921 result of the attempt to understand and satisfy the request. 4923 HTTP status codes are extensible. HTTP clients are not required to 4924 understand the meaning of all registered status codes, though such 4925 understanding is obviously desirable. However, a client MUST 4926 understand the class of any status code, as indicated by the first 4927 digit, and treat an unrecognized status code as being equivalent to 4928 the x00 status code of that class, with the exception that a 4929 recipient MUST NOT cache a response with an unrecognized status code. 4931 For example, if an unrecognized status code of 471 is received by a 4932 client, the client can assume that there was something wrong with its 4933 request and treat the response as if it had received a 400 (Bad 4934 Request) status code. The response message will usually contain a 4935 representation that explains the status. 4937 The first digit of the status code defines the class of response. 4938 The last two digits do not have any categorization role. There are 4939 five values for the first digit: 4941 o 1xx (Informational): The request was received, continuing process 4943 o 2xx (Successful): The request was successfully received, 4944 understood, and accepted 4946 o 3xx (Redirection): Further action needs to be taken in order to 4947 complete the request 4949 o 4xx (Client Error): The request contains bad syntax or cannot be 4950 fulfilled 4952 o 5xx (Server Error): The server failed to fulfill an apparently 4953 valid request 4955 9.1. Overview of Status Codes 4957 The status codes listed below are defined in this specification. The 4958 reason phrases listed here are only recommendations -- they can be 4959 replaced by local equivalents without affecting the protocol. 4961 Responses with status codes that are defined as cacheable by default 4962 (e.g., 200, 203, 204, 206, 300, 301, 404, 405, 410, 414, and 501 in 4963 this specification) can be reused by a cache with heuristic 4964 expiration unless otherwise indicated by the method definition or 4965 explicit cache controls [Caching]; all other status codes are not 4966 cacheable by default. 4968 +-------+-------------------------------+-----------------+ 4969 | Value | Description | Reference | 4970 +-------+-------------------------------+-----------------+ 4971 | 100 | Continue | Section 9.2.1 | 4972 | 101 | Switching Protocols | Section 9.2.2 | 4973 | 200 | OK | Section 9.3.1 | 4974 | 201 | Created | Section 9.3.2 | 4975 | 202 | Accepted | Section 9.3.3 | 4976 | 203 | Non-Authoritative Information | Section 9.3.4 | 4977 | 204 | No Content | Section 9.3.5 | 4978 | 205 | Reset Content | Section 9.3.6 | 4979 | 206 | Partial Content | Section 9.3.7 | 4980 | 300 | Multiple Choices | Section 9.4.1 | 4981 | 301 | Moved Permanently | Section 9.4.2 | 4982 | 302 | Found | Section 9.4.3 | 4983 | 303 | See Other | Section 9.4.4 | 4984 | 304 | Not Modified | Section 9.4.5 | 4985 | 305 | Use Proxy | Section 9.4.6 | 4986 | 306 | (Unused) | Section 9.4.7 | 4987 | 307 | Temporary Redirect | Section 9.4.8 | 4988 | 308 | Permanent Redirect | Section 9.4.9 | 4989 | 400 | Bad Request | Section 9.5.1 | 4990 | 401 | Unauthorized | Section 9.5.2 | 4991 | 402 | Payment Required | Section 9.5.3 | 4992 | 403 | Forbidden | Section 9.5.4 | 4993 | 404 | Not Found | Section 9.5.5 | 4994 | 405 | Method Not Allowed | Section 9.5.6 | 4995 | 406 | Not Acceptable | Section 9.5.7 | 4996 | 407 | Proxy Authentication Required | Section 9.5.8 | 4997 | 408 | Request Timeout | Section 9.5.9 | 4998 | 409 | Conflict | Section 9.5.10 | 4999 | 410 | Gone | Section 9.5.11 | 5000 | 411 | Length Required | Section 9.5.12 | 5001 | 412 | Precondition Failed | Section 9.5.13 | 5002 | 413 | Payload Too Large | Section 9.5.14 | 5003 | 414 | URI Too Long | Section 9.5.15 | 5004 | 415 | Unsupported Media Type | Section 9.5.16 | 5005 | 416 | Range Not Satisfiable | Section 9.5.17 | 5006 | 417 | Expectation Failed | Section 9.5.18 | 5007 | 418 | (Unused) | Section 9.5.19 | 5008 | 422 | Unprocessable Entity | Section 9.5.20 | 5009 | 426 | Upgrade Required | Section 9.5.21 | 5010 | 500 | Internal Server Error | Section 9.6.1 | 5011 | 501 | Not Implemented | Section 9.6.2 | 5012 | 502 | Bad Gateway | Section 9.6.3 | 5013 | 503 | Service Unavailable | Section 9.6.4 | 5014 | 504 | Gateway Timeout | Section 9.6.5 | 5015 | 505 | HTTP Version Not Supported | Section 9.6.6 | 5016 +-------+-------------------------------+-----------------+ 5018 Note that this list is not exhaustive -- it does not include 5019 extension status codes defined in other specifications (Section 9.7). 5021 9.2. Informational 1xx 5023 The 1xx (Informational) class of status code indicates an interim 5024 response for communicating connection status or request progress 5025 prior to completing the requested action and sending a final 5026 response. 1xx responses are terminated by the first empty line after 5027 the status-line (the empty line signaling the end of the header 5028 section). Since HTTP/1.0 did not define any 1xx status codes, a 5029 server MUST NOT send a 1xx response to an HTTP/1.0 client. 5031 A client MUST be able to parse one or more 1xx responses received 5032 prior to a final response, even if the client does not expect one. A 5033 user agent MAY ignore unexpected 1xx responses. 5035 A proxy MUST forward 1xx responses unless the proxy itself requested 5036 the generation of the 1xx response. For example, if a proxy adds an 5037 "Expect: 100-continue" field when it forwards a request, then it need 5038 not forward the corresponding 100 (Continue) response(s). 5040 9.2.1. 100 Continue 5042 The 100 (Continue) status code indicates that the initial part of a 5043 request has been received and has not yet been rejected by the 5044 server. The server intends to send a final response after the 5045 request has been fully received and acted upon. 5047 When the request contains an Expect header field that includes a 5048 100-continue expectation, the 100 response indicates that the server 5049 wishes to receive the request payload body, as described in 5050 Section 8.1.1. The client ought to continue sending the request and 5051 discard the 100 response. 5053 If the request did not contain an Expect header field containing the 5054 100-continue expectation, the client can simply discard this interim 5055 response. 5057 9.2.2. 101 Switching Protocols 5059 The 101 (Switching Protocols) status code indicates that the server 5060 understands and is willing to comply with the client's request, via 5061 the Upgrade header field (Section 9.8 of [Messaging]), for a change 5062 in the application protocol being used on this connection. The 5063 server MUST generate an Upgrade header field in the response that 5064 indicates which protocol(s) will be switched to immediately after the 5065 empty line that terminates the 101 response. 5067 It is assumed that the server will only agree to switch protocols 5068 when it is advantageous to do so. For example, switching to a newer 5069 version of HTTP might be advantageous over older versions, and 5070 switching to a real-time, synchronous protocol might be advantageous 5071 when delivering resources that use such features. 5073 9.3. Successful 2xx 5075 The 2xx (Successful) class of status code indicates that the client's 5076 request was successfully received, understood, and accepted. 5078 9.3.1. 200 OK 5080 The 200 (OK) status code indicates that the request has succeeded. 5081 The payload sent in a 200 response depends on the request method. 5082 For the methods defined by this specification, the intended meaning 5083 of the payload can be summarized as: 5085 GET a representation of the target resource; 5087 HEAD the same representation as GET, but without the representation 5088 data; 5090 POST a representation of the status of, or results obtained from, 5091 the action; 5093 PUT, DELETE a representation of the status of the action; 5095 OPTIONS a representation of the communications options; 5097 TRACE a representation of the request message as received by the end 5098 server. 5100 Aside from responses to CONNECT, a 200 response always has a payload, 5101 though an origin server MAY generate a payload body of zero length. 5102 If no payload is desired, an origin server ought to send 204 (No 5103 Content) instead. For CONNECT, no payload is allowed because the 5104 successful result is a tunnel, which begins immediately after the 200 5105 response header section. 5107 A 200 response is cacheable by default; i.e., unless otherwise 5108 indicated by the method definition or explicit cache controls (see 5109 Section 4.2.2 of [Caching]). 5111 9.3.2. 201 Created 5113 The 201 (Created) status code indicates that the request has been 5114 fulfilled and has resulted in one or more new resources being 5115 created. The primary resource created by the request is identified 5116 by either a Location header field in the response or, if no Location 5117 field is received, by the effective request URI. 5119 The 201 response payload typically describes and links to the 5120 resource(s) created. See Section 10.2 for a discussion of the 5121 meaning and purpose of validator header fields, such as ETag and 5122 Last-Modified, in a 201 response. 5124 9.3.3. 202 Accepted 5126 The 202 (Accepted) status code indicates that the request has been 5127 accepted for processing, but the processing has not been completed. 5128 The request might or might not eventually be acted upon, as it might 5129 be disallowed when processing actually takes place. There is no 5130 facility in HTTP for re-sending a status code from an asynchronous 5131 operation. 5133 The 202 response is intentionally noncommittal. Its purpose is to 5134 allow a server to accept a request for some other process (perhaps a 5135 batch-oriented process that is only run once per day) without 5136 requiring that the user agent's connection to the server persist 5137 until the process is completed. The representation sent with this 5138 response ought to describe the request's current status and point to 5139 (or embed) a status monitor that can provide the user with an 5140 estimate of when the request will be fulfilled. 5142 9.3.4. 203 Non-Authoritative Information 5144 The 203 (Non-Authoritative Information) status code indicates that 5145 the request was successful but the enclosed payload has been modified 5146 from that of the origin server's 200 (OK) response by a transforming 5147 proxy (Section 5.5.2). This status code allows the proxy to notify 5148 recipients when a transformation has been applied, since that 5149 knowledge might impact later decisions regarding the content. For 5150 example, future cache validation requests for the content might only 5151 be applicable along the same request path (through the same proxies). 5153 The 203 response is similar to the Warning code of 214 Transformation 5154 Applied (Section 5.5 of [Caching]), which has the advantage of being 5155 applicable to responses with any status code. 5157 A 203 response is cacheable by default; i.e., unless otherwise 5158 indicated by the method definition or explicit cache controls (see 5159 Section 4.2.2 of [Caching]). 5161 9.3.5. 204 No Content 5163 The 204 (No Content) status code indicates that the server has 5164 successfully fulfilled the request and that there is no additional 5165 content to send in the response payload body. Metadata in the 5166 response header fields refer to the target resource and its selected 5167 representation after the requested action was applied. 5169 For example, if a 204 status code is received in response to a PUT 5170 request and the response contains an ETag header field, then the PUT 5171 was successful and the ETag field-value contains the entity-tag for 5172 the new representation of that target resource. 5174 The 204 response allows a server to indicate that the action has been 5175 successfully applied to the target resource, while implying that the 5176 user agent does not need to traverse away from its current "document 5177 view" (if any). The server assumes that the user agent will provide 5178 some indication of the success to its user, in accord with its own 5179 interface, and apply any new or updated metadata in the response to 5180 its active representation. 5182 For example, a 204 status code is commonly used with document editing 5183 interfaces corresponding to a "save" action, such that the document 5184 being saved remains available to the user for editing. It is also 5185 frequently used with interfaces that expect automated data transfers 5186 to be prevalent, such as within distributed version control systems. 5188 A 204 response is terminated by the first empty line after the header 5189 fields because it cannot contain a message body. 5191 A 204 response is cacheable by default; i.e., unless otherwise 5192 indicated by the method definition or explicit cache controls (see 5193 Section 4.2.2 of [Caching]). 5195 9.3.6. 205 Reset Content 5197 The 205 (Reset Content) status code indicates that the server has 5198 fulfilled the request and desires that the user agent reset the 5199 "document view", which caused the request to be sent, to its original 5200 state as received from the origin server. 5202 This response is intended to support a common data entry use case 5203 where the user receives content that supports data entry (a form, 5204 notepad, canvas, etc.), enters or manipulates data in that space, 5205 causes the entered data to be submitted in a request, and then the 5206 data entry mechanism is reset for the next entry so that the user can 5207 easily initiate another input action. 5209 Since the 205 status code implies that no additional content will be 5210 provided, a server MUST NOT generate a payload in a 205 response. In 5211 other words, a server MUST do one of the following for a 205 5212 response: a) indicate a zero-length body for the response by 5213 including a Content-Length header field with a value of 0; b) 5214 indicate a zero-length payload for the response by including a 5215 Transfer-Encoding header field with a value of chunked and a message 5216 body consisting of a single chunk of zero-length; or, c) close the 5217 connection immediately after sending the blank line terminating the 5218 header section. 5220 9.3.7. 206 Partial Content 5222 The 206 (Partial Content) status code indicates that the server is 5223 successfully fulfilling a range request for the target resource by 5224 transferring one or more parts of the selected representation. 5226 When a 206 response is generated, the server MUST generate the 5227 following header fields, in addition to those required in the 5228 subsections below, if the field would have been sent in a 200 (OK) 5229 response to the same request: Date, Cache-Control, ETag, Expires, 5230 Content-Location, and Vary. 5232 If a 206 is generated in response to a request with an If-Range 5233 header field, the sender SHOULD NOT generate other representation 5234 header fields beyond those required, because the client is understood 5235 to already have a prior response containing those header fields. 5236 Otherwise, the sender MUST generate all of the representation header 5237 fields that would have been sent in a 200 (OK) response to the same 5238 request. 5240 A 206 response is cacheable by default; i.e., unless otherwise 5241 indicated by explicit cache controls (see Section 4.2.2 of 5242 [Caching]). 5244 9.3.7.1. Single Part 5246 If a single part is being transferred, the server generating the 206 5247 response MUST generate a Content-Range header field, describing what 5248 range of the selected representation is enclosed, and a payload 5249 consisting of the range. For example: 5251 HTTP/1.1 206 Partial Content 5252 Date: Wed, 15 Nov 1995 06:25:24 GMT 5253 Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT 5254 Content-Range: bytes 21010-47021/47022 5255 Content-Length: 26012 5256 Content-Type: image/gif 5258 ... 26012 bytes of partial image data ... 5260 9.3.7.2. Multiple Parts 5262 If multiple parts are being transferred, the server generating the 5263 206 response MUST generate a "multipart/byteranges" payload, as 5264 defined in Section 6.3.4, and a Content-Type header field containing 5265 the multipart/byteranges media type and its required boundary 5266 parameter. To avoid confusion with single-part responses, a server 5267 MUST NOT generate a Content-Range header field in the HTTP header 5268 section of a multiple part response (this field will be sent in each 5269 part instead). 5271 Within the header area of each body part in the multipart payload, 5272 the server MUST generate a Content-Range header field corresponding 5273 to the range being enclosed in that body part. If the selected 5274 representation would have had a Content-Type header field in a 200 5275 (OK) response, the server SHOULD generate that same Content-Type 5276 field in the header area of each body part. For example: 5278 HTTP/1.1 206 Partial Content 5279 Date: Wed, 15 Nov 1995 06:25:24 GMT 5280 Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT 5281 Content-Length: 1741 5282 Content-Type: multipart/byteranges; boundary=THIS_STRING_SEPARATES 5284 --THIS_STRING_SEPARATES 5285 Content-Type: application/pdf 5286 Content-Range: bytes 500-999/8000 5288 ...the first range... 5289 --THIS_STRING_SEPARATES 5290 Content-Type: application/pdf 5291 Content-Range: bytes 7000-7999/8000 5293 ...the second range 5294 --THIS_STRING_SEPARATES-- 5296 When multiple ranges are requested, a server MAY coalesce any of the 5297 ranges that overlap, or that are separated by a gap that is smaller 5298 than the overhead of sending multiple parts, regardless of the order 5299 in which the corresponding byte-range-spec appeared in the received 5300 Range header field. Since the typical overhead between parts of a 5301 multipart/byteranges payload is around 80 bytes, depending on the 5302 selected representation's media type and the chosen boundary 5303 parameter length, it can be less efficient to transfer many small 5304 disjoint parts than it is to transfer the entire selected 5305 representation. 5307 A server MUST NOT generate a multipart response to a request for a 5308 single range, since a client that does not request multiple parts 5309 might not support multipart responses. However, a server MAY 5310 generate a multipart/byteranges payload with only a single body part 5311 if multiple ranges were requested and only one range was found to be 5312 satisfiable or only one range remained after coalescing. A client 5313 that cannot process a multipart/byteranges response MUST NOT generate 5314 a request that asks for multiple ranges. 5316 When a multipart response payload is generated, the server SHOULD 5317 send the parts in the same order that the corresponding byte-range- 5318 spec appeared in the received Range header field, excluding those 5319 ranges that were deemed unsatisfiable or that were coalesced into 5320 other ranges. A client that receives a multipart response MUST 5321 inspect the Content-Range header field present in each body part in 5322 order to determine which range is contained in that body part; a 5323 client cannot rely on receiving the same ranges that it requested, 5324 nor the same order that it requested. 5326 9.3.7.3. Combining Parts 5328 A response might transfer only a subrange of a representation if the 5329 connection closed prematurely or if the request used one or more 5330 Range specifications. After several such transfers, a client might 5331 have received several ranges of the same representation. These 5332 ranges can only be safely combined if they all have in common the 5333 same strong validator (Section 10.2.1). 5335 A client that has received multiple partial responses to GET requests 5336 on a target resource MAY combine those responses into a larger 5337 continuous range if they share the same strong validator. 5339 If the most recent response is an incomplete 200 (OK) response, then 5340 the header fields of that response are used for any combined response 5341 and replace those of the matching stored responses. 5343 If the most recent response is a 206 (Partial Content) response and 5344 at least one of the matching stored responses is a 200 (OK), then the 5345 combined response header fields consist of the most recent 200 5346 response's header fields. If all of the matching stored responses 5347 are 206 responses, then the stored response with the most recent 5348 header fields is used as the source of header fields for the combined 5349 response, except that the client MUST use other header fields 5350 provided in the new response, aside from Content-Range, to replace 5351 all instances of the corresponding header fields in the stored 5352 response. 5354 The combined response message body consists of the union of partial 5355 content ranges in the new response and each of the selected 5356 responses. If the union consists of the entire range of the 5357 representation, then the client MUST process the combined response as 5358 if it were a complete 200 (OK) response, including a Content-Length 5359 header field that reflects the complete length. Otherwise, the 5360 client MUST process the set of continuous ranges as one of the 5361 following: an incomplete 200 (OK) response if the combined response 5362 is a prefix of the representation, a single 206 (Partial Content) 5363 response containing a multipart/byteranges body, or multiple 206 5364 (Partial Content) responses, each with one continuous range that is 5365 indicated by a Content-Range header field. 5367 9.4. Redirection 3xx 5369 The 3xx (Redirection) class of status code indicates that further 5370 action needs to be taken by the user agent in order to fulfill the 5371 request. If a Location header field (Section 10.1.2) is provided, 5372 the user agent MAY automatically redirect its request to the URI 5373 referenced by the Location field value, even if the specific status 5374 code is not understood. Automatic redirection needs to be done with 5375 care for methods not known to be safe, as defined in Section 7.2.1, 5376 since the user might not wish to redirect an unsafe request. 5378 There are several types of redirects: 5380 1. Redirects that indicate the resource might be available at a 5381 different URI, as provided by the Location field, as in the 5382 status codes 301 (Moved Permanently), 302 (Found), 307 (Temporary 5383 Redirect), and 308 (Permanent Redirect). 5385 2. Redirection that offers a choice of matching resources, each 5386 capable of representing the original request target, as in the 5387 300 (Multiple Choices) status code. 5389 3. Redirection to a different resource, identified by the Location 5390 field, that can represent an indirect response to the request, as 5391 in the 303 (See Other) status code. 5393 4. Redirection to a previously cached result, as in the 304 (Not 5394 Modified) status code. 5396 Note: In HTTP/1.0, the status codes 301 (Moved Permanently) and 5397 302 (Found) were defined for the first type of redirect 5398 ([RFC1945], Section 9.3). Early user agents split on whether the 5399 method applied to the redirect target would be the same as the 5400 original request or would be rewritten as GET. Although HTTP 5401 originally defined the former semantics for 301 and 302 (to match 5402 its original implementation at CERN), and defined 303 (See Other) 5403 to match the latter semantics, prevailing practice gradually 5404 converged on the latter semantics for 301 and 302 as well. The 5405 first revision of HTTP/1.1 added 307 (Temporary Redirect) to 5406 indicate the former semantics of 302 without being impacted by 5407 divergent practice. For the same reason, 308 (Permanent Redirect) 5408 was later on added in [RFC7538] to match 301. Over 10 years 5409 later, most user agents still do method rewriting for 301 and 302; 5410 therefore, [RFC7231] made that behavior conformant when the 5411 original request is POST. 5413 A client SHOULD detect and intervene in cyclical redirections (i.e., 5414 "infinite" redirection loops). 5416 Note: An earlier version of this specification recommended a 5417 maximum of five redirections ([RFC2068], Section 10.3). Content 5418 developers need to be aware that some clients might implement such 5419 a fixed limitation. 5421 9.4.1. 300 Multiple Choices 5423 The 300 (Multiple Choices) status code indicates that the target 5424 resource has more than one representation, each with its own more 5425 specific identifier, and information about the alternatives is being 5426 provided so that the user (or user agent) can select a preferred 5427 representation by redirecting its request to one or more of those 5428 identifiers. In other words, the server desires that the user agent 5429 engage in reactive negotiation to select the most appropriate 5430 representation(s) for its needs (Section 6.4). 5432 If the server has a preferred choice, the server SHOULD generate a 5433 Location header field containing a preferred choice's URI reference. 5434 The user agent MAY use the Location field value for automatic 5435 redirection. 5437 For request methods other than HEAD, the server SHOULD generate a 5438 payload in the 300 response containing a list of representation 5439 metadata and URI reference(s) from which the user or user agent can 5440 choose the one most preferred. The user agent MAY make a selection 5441 from that list automatically if it understands the provided media 5442 type. A specific format for automatic selection is not defined by 5443 this specification because HTTP tries to remain orthogonal to the 5444 definition of its payloads. In practice, the representation is 5445 provided in some easily parsed format believed to be acceptable to 5446 the user agent, as determined by shared design or content 5447 negotiation, or in some commonly accepted hypertext format. 5449 A 300 response is cacheable by default; i.e., unless otherwise 5450 indicated by the method definition or explicit cache controls (see 5451 Section 4.2.2 of [Caching]). 5453 Note: The original proposal for the 300 status code defined the 5454 URI header field as providing a list of alternative 5455 representations, such that it would be usable for 200, 300, and 5456 406 responses and be transferred in responses to the HEAD method. 5457 However, lack of deployment and disagreement over syntax led to 5458 both URI and Alternates (a subsequent proposal) being dropped from 5459 this specification. It is possible to communicate the list using 5460 a set of Link header fields [RFC8288], each with a relationship of 5461 "alternate", though deployment is a chicken-and-egg problem. 5463 9.4.2. 301 Moved Permanently 5465 The 301 (Moved Permanently) status code indicates that the target 5466 resource has been assigned a new permanent URI and any future 5467 references to this resource ought to use one of the enclosed URIs. 5468 Clients with link-editing capabilities ought to automatically re-link 5469 references to the effective request URI to one or more of the new 5470 references sent by the server, where possible. 5472 The server SHOULD generate a Location header field in the response 5473 containing a preferred URI reference for the new permanent URI. The 5474 user agent MAY use the Location field value for automatic 5475 redirection. The server's response payload usually contains a short 5476 hypertext note with a hyperlink to the new URI(s). 5478 Note: For historical reasons, a user agent MAY change the request 5479 method from POST to GET for the subsequent request. If this 5480 behavior is undesired, the 308 (Permanent Redirect) status code 5481 can be used instead. 5483 A 301 response is cacheable by default; i.e., unless otherwise 5484 indicated by the method definition or explicit cache controls (see 5485 Section 4.2.2 of [Caching]). 5487 9.4.3. 302 Found 5489 The 302 (Found) status code indicates that the target resource 5490 resides temporarily under a different URI. Since the redirection 5491 might be altered on occasion, the client ought to continue to use the 5492 effective request URI for future requests. 5494 The server SHOULD generate a Location header field in the response 5495 containing a URI reference for the different URI. The user agent MAY 5496 use the Location field value for automatic redirection. The server's 5497 response payload usually contains a short hypertext note with a 5498 hyperlink to the different URI(s). 5500 Note: For historical reasons, a user agent MAY change the request 5501 method from POST to GET for the subsequent request. If this 5502 behavior is undesired, the 307 (Temporary Redirect) status code 5503 can be used instead. 5505 9.4.4. 303 See Other 5507 The 303 (See Other) status code indicates that the server is 5508 redirecting the user agent to a different resource, as indicated by a 5509 URI in the Location header field, which is intended to provide an 5510 indirect response to the original request. A user agent can perform 5511 a retrieval request targeting that URI (a GET or HEAD request if 5512 using HTTP), which might also be redirected, and present the eventual 5513 result as an answer to the original request. Note that the new URI 5514 in the Location header field is not considered equivalent to the 5515 effective request URI. 5517 This status code is applicable to any HTTP method. It is primarily 5518 used to allow the output of a POST action to redirect the user agent 5519 to a selected resource, since doing so provides the information 5520 corresponding to the POST response in a form that can be separately 5521 identified, bookmarked, and cached, independent of the original 5522 request. 5524 A 303 response to a GET request indicates that the origin server does 5525 not have a representation of the target resource that can be 5526 transferred by the server over HTTP. However, the Location field 5527 value refers to a resource that is descriptive of the target 5528 resource, such that making a retrieval request on that other resource 5529 might result in a representation that is useful to recipients without 5530 implying that it represents the original target resource. Note that 5531 answers to the questions of what can be represented, what 5532 representations are adequate, and what might be a useful description 5533 are outside the scope of HTTP. 5535 Except for responses to a HEAD request, the representation of a 303 5536 response ought to contain a short hypertext note with a hyperlink to 5537 the same URI reference provided in the Location header field. 5539 9.4.5. 304 Not Modified 5541 The 304 (Not Modified) status code indicates that a conditional GET 5542 or HEAD request has been received and would have resulted in a 200 5543 (OK) response if it were not for the fact that the condition 5544 evaluated to false. In other words, there is no need for the server 5545 to transfer a representation of the target resource because the 5546 request indicates that the client, which made the request 5547 conditional, already has a valid representation; the server is 5548 therefore redirecting the client to make use of that stored 5549 representation as if it were the payload of a 200 (OK) response. 5551 The server generating a 304 response MUST generate any of the 5552 following header fields that would have been sent in a 200 (OK) 5553 response to the same request: Cache-Control, Content-Location, Date, 5554 ETag, Expires, and Vary. 5556 Since the goal of a 304 response is to minimize information transfer 5557 when the recipient already has one or more cached representations, a 5558 sender SHOULD NOT generate representation metadata other than the 5559 above listed fields unless said metadata exists for the purpose of 5560 guiding cache updates (e.g., Last-Modified might be useful if the 5561 response does not have an ETag field). 5563 Requirements on a cache that receives a 304 response are defined in 5564 Section 4.3.4 of [Caching]. If the conditional request originated 5565 with an outbound client, such as a user agent with its own cache 5566 sending a conditional GET to a shared proxy, then the proxy SHOULD 5567 forward the 304 response to that client. 5569 A 304 response cannot contain a message-body; it is always terminated 5570 by the first empty line after the header fields. 5572 9.4.6. 305 Use Proxy 5574 The 305 (Use Proxy) status code was defined in a previous version of 5575 this specification and is now deprecated (Appendix B of [RFC7231]). 5577 9.4.7. 306 (Unused) 5579 The 306 status code was defined in a previous version of this 5580 specification, is no longer used, and the code is reserved. 5582 9.4.8. 307 Temporary Redirect 5584 The 307 (Temporary Redirect) status code indicates that the target 5585 resource resides temporarily under a different URI and the user agent 5586 MUST NOT change the request method if it performs an automatic 5587 redirection to that URI. Since the redirection can change over time, 5588 the client ought to continue using the original effective request URI 5589 for future requests. 5591 The server SHOULD generate a Location header field in the response 5592 containing a URI reference for the different URI. The user agent MAY 5593 use the Location field value for automatic redirection. The server's 5594 response payload usually contains a short hypertext note with a 5595 hyperlink to the different URI(s). 5597 9.4.9. 308 Permanent Redirect 5599 The 308 (Permanent Redirect) status code indicates that the target 5600 resource has been assigned a new permanent URI and any future 5601 references to this resource ought to use one of the enclosed URIs. 5602 Clients with link editing capabilities ought to automatically re-link 5603 references to the effective request URI to one or more of the new 5604 references sent by the server, where possible. 5606 The server SHOULD generate a Location header field in the response 5607 containing a preferred URI reference for the new permanent URI. The 5608 user agent MAY use the Location field value for automatic 5609 redirection. The server's response payload usually contains a short 5610 hypertext note with a hyperlink to the new URI(s). 5612 A 308 response is cacheable by default; i.e., unless otherwise 5613 indicated by the method definition or explicit cache controls (see 5614 Section 4.2.2 of [Caching]). 5616 Note: This status code is much younger (June 2014) than its 5617 sibling codes, and thus might not be recognized everywhere. See 5618 Section 4 of [RFC7538] for deployment considerations. 5620 9.5. Client Error 4xx 5622 The 4xx (Client Error) class of status code indicates that the client 5623 seems to have erred. Except when responding to a HEAD request, the 5624 server SHOULD send a representation containing an explanation of the 5625 error situation, and whether it is a temporary or permanent 5626 condition. These status codes are applicable to any request method. 5627 User agents SHOULD display any included representation to the user. 5629 9.5.1. 400 Bad Request 5631 The 400 (Bad Request) status code indicates that the server cannot or 5632 will not process the request due to something that is perceived to be 5633 a client error (e.g., malformed request syntax, invalid request 5634 message framing, or deceptive request routing). 5636 9.5.2. 401 Unauthorized 5638 The 401 (Unauthorized) status code indicates that the request has not 5639 been applied because it lacks valid authentication credentials for 5640 the target resource. The server generating a 401 response MUST send 5641 a WWW-Authenticate header field (Section 10.3.1) containing at least 5642 one challenge applicable to the target resource. 5644 If the request included authentication credentials, then the 401 5645 response indicates that authorization has been refused for those 5646 credentials. The user agent MAY repeat the request with a new or 5647 replaced Authorization header field (Section 8.5.3). If the 401 5648 response contains the same challenge as the prior response, and the 5649 user agent has already attempted authentication at least once, then 5650 the user agent SHOULD present the enclosed representation to the 5651 user, since it usually contains relevant diagnostic information. 5653 9.5.3. 402 Payment Required 5655 The 402 (Payment Required) status code is reserved for future use. 5657 9.5.4. 403 Forbidden 5659 The 403 (Forbidden) status code indicates that the server understood 5660 the request but refuses to authorize it. A server that wishes to 5661 make public why the request has been forbidden can describe that 5662 reason in the response payload (if any). 5664 If authentication credentials were provided in the request, the 5665 server considers them insufficient to grant access. The client 5666 SHOULD NOT automatically repeat the request with the same 5667 credentials. The client MAY repeat the request with new or different 5668 credentials. However, a request might be forbidden for reasons 5669 unrelated to the credentials. 5671 An origin server that wishes to "hide" the current existence of a 5672 forbidden target resource MAY instead respond with a status code of 5673 404 (Not Found). 5675 9.5.5. 404 Not Found 5677 The 404 (Not Found) status code indicates that the origin server did 5678 not find a current representation for the target resource or is not 5679 willing to disclose that one exists. A 404 status code does not 5680 indicate whether this lack of representation is temporary or 5681 permanent; the 410 (Gone) status code is preferred over 404 if the 5682 origin server knows, presumably through some configurable means, that 5683 the condition is likely to be permanent. 5685 A 404 response is cacheable by default; i.e., unless otherwise 5686 indicated by the method definition or explicit cache controls (see 5687 Section 4.2.2 of [Caching]). 5689 9.5.6. 405 Method Not Allowed 5691 The 405 (Method Not Allowed) status code indicates that the method 5692 received in the request-line is known by the origin server but not 5693 supported by the target resource. The origin server MUST generate an 5694 Allow header field in a 405 response containing a list of the target 5695 resource's currently supported methods. 5697 A 405 response is cacheable by default; i.e., unless otherwise 5698 indicated by the method definition or explicit cache controls (see 5699 Section 4.2.2 of [Caching]). 5701 9.5.7. 406 Not Acceptable 5703 The 406 (Not Acceptable) status code indicates that the target 5704 resource does not have a current representation that would be 5705 acceptable to the user agent, according to the proactive negotiation 5706 header fields received in the request (Section 8.4), and the server 5707 is unwilling to supply a default representation. 5709 The server SHOULD generate a payload containing a list of available 5710 representation characteristics and corresponding resource identifiers 5711 from which the user or user agent can choose the one most 5712 appropriate. A user agent MAY automatically select the most 5713 appropriate choice from that list. However, this specification does 5714 not define any standard for such automatic selection, as described in 5715 Section 9.4.1. 5717 9.5.8. 407 Proxy Authentication Required 5719 The 407 (Proxy Authentication Required) status code is similar to 401 5720 (Unauthorized), but it indicates that the client needs to 5721 authenticate itself in order to use a proxy. The proxy MUST send a 5722 Proxy-Authenticate header field (Section 10.3.2) containing a 5723 challenge applicable to that proxy for the target resource. The 5724 client MAY repeat the request with a new or replaced Proxy- 5725 Authorization header field (Section 8.5.4). 5727 9.5.9. 408 Request Timeout 5729 The 408 (Request Timeout) status code indicates that the server did 5730 not receive a complete request message within the time that it was 5731 prepared to wait. A server SHOULD send the "close" connection option 5732 (Section 9.1 of [Messaging]) in the response, since 408 implies that 5733 the server has decided to close the connection rather than continue 5734 waiting. If the client has an outstanding request in transit, the 5735 client MAY repeat that request on a new connection. 5737 9.5.10. 409 Conflict 5739 The 409 (Conflict) status code indicates that the request could not 5740 be completed due to a conflict with the current state of the target 5741 resource. This code is used in situations where the user might be 5742 able to resolve the conflict and resubmit the request. The server 5743 SHOULD generate a payload that includes enough information for a user 5744 to recognize the source of the conflict. 5746 Conflicts are most likely to occur in response to a PUT request. For 5747 example, if versioning were being used and the representation being 5748 PUT included changes to a resource that conflict with those made by 5749 an earlier (third-party) request, the origin server might use a 409 5750 response to indicate that it can't complete the request. In this 5751 case, the response representation would likely contain information 5752 useful for merging the differences based on the revision history. 5754 9.5.11. 410 Gone 5756 The 410 (Gone) status code indicates that access to the target 5757 resource is no longer available at the origin server and that this 5758 condition is likely to be permanent. If the origin server does not 5759 know, or has no facility to determine, whether or not the condition 5760 is permanent, the status code 404 (Not Found) ought to be used 5761 instead. 5763 The 410 response is primarily intended to assist the task of web 5764 maintenance by notifying the recipient that the resource is 5765 intentionally unavailable and that the server owners desire that 5766 remote links to that resource be removed. Such an event is common 5767 for limited-time, promotional services and for resources belonging to 5768 individuals no longer associated with the origin server's site. It 5769 is not necessary to mark all permanently unavailable resources as 5770 "gone" or to keep the mark for any length of time -- that is left to 5771 the discretion of the server owner. 5773 A 410 response is cacheable by default; i.e., unless otherwise 5774 indicated by the method definition or explicit cache controls (see 5775 Section 4.2.2 of [Caching]). 5777 9.5.12. 411 Length Required 5779 The 411 (Length Required) status code indicates that the server 5780 refuses to accept the request without a defined Content-Length 5781 (Section 6.2.4). The client MAY repeat the request if it adds a 5782 valid Content-Length header field containing the length of the 5783 message body in the request message. 5785 9.5.13. 412 Precondition Failed 5787 The 412 (Precondition Failed) status code indicates that one or more 5788 conditions given in the request header fields evaluated to false when 5789 tested on the server. This response status code allows the client to 5790 place preconditions on the current resource state (its current 5791 representations and metadata) and, thus, prevent the request method 5792 from being applied if the target resource is in an unexpected state. 5794 9.5.14. 413 Payload Too Large 5796 The 413 (Payload Too Large) status code indicates that the server is 5797 refusing to process a request because the request payload is larger 5798 than the server is willing or able to process. The server MAY close 5799 the connection to prevent the client from continuing the request. 5801 If the condition is temporary, the server SHOULD generate a Retry- 5802 After header field to indicate that it is temporary and after what 5803 time the client MAY try again. 5805 9.5.15. 414 URI Too Long 5807 The 414 (URI Too Long) status code indicates that the server is 5808 refusing to service the request because the request-target 5809 (Section 3.2 of [Messaging]) is longer than the server is willing to 5810 interpret. This rare condition is only likely to occur when a client 5811 has improperly converted a POST request to a GET request with long 5812 query information, when the client has descended into a "black hole" 5813 of redirection (e.g., a redirected URI prefix that points to a suffix 5814 of itself) or when the server is under attack by a client attempting 5815 to exploit potential security holes. 5817 A 414 response is cacheable by default; i.e., unless otherwise 5818 indicated by the method definition or explicit cache controls (see 5819 Section 4.2.2 of [Caching]). 5821 9.5.16. 415 Unsupported Media Type 5823 The 415 (Unsupported Media Type) status code indicates that the 5824 origin server is refusing to service the request because the payload 5825 is in a format not supported by this method on the target resource. 5826 The format problem might be due to the request's indicated Content- 5827 Type or Content-Encoding, or as a result of inspecting the data 5828 directly. 5830 9.5.17. 416 Range Not Satisfiable 5832 The 416 (Range Not Satisfiable) status code indicates that none of 5833 the ranges in the request's Range header field (Section 8.3) overlap 5834 the current extent of the selected representation or that the set of 5835 ranges requested has been rejected due to invalid ranges or an 5836 excessive request of small or overlapping ranges. 5838 For byte ranges, failing to overlap the current extent means that the 5839 first-byte-pos of all of the byte-range-spec values were greater than 5840 or equal to the current length of the selected representation. When 5841 this status code is generated in response to a byte-range request, 5842 the sender SHOULD generate a Content-Range header field specifying 5843 the current length of the selected representation (Section 6.3.3). 5845 For example: 5847 HTTP/1.1 416 Range Not Satisfiable 5848 Date: Fri, 20 Jan 2012 15:41:54 GMT 5849 Content-Range: bytes */47022 5851 Note: Because servers are free to ignore Range, many 5852 implementations will simply respond with the entire selected 5853 representation in a 200 (OK) response. That is partly because 5854 most clients are prepared to receive a 200 (OK) to complete the 5855 task (albeit less efficiently) and partly because clients might 5856 not stop making an invalid partial request until they have 5857 received a complete representation. Thus, clients cannot depend 5858 on receiving a 416 (Range Not Satisfiable) response even when it 5859 is most appropriate. 5861 9.5.18. 417 Expectation Failed 5863 The 417 (Expectation Failed) status code indicates that the 5864 expectation given in the request's Expect header field 5865 (Section 8.1.1) could not be met by at least one of the inbound 5866 servers. 5868 9.5.19. 418 (Unused) 5870 [RFC2324] was an April 1 RFC that lampooned the various ways HTTP was 5871 abused; one such abuse was the definition of an application-specific 5872 418 status code. In the intervening years, this status code has been 5873 widely implemented as an "Easter Egg", and therefore is effectively 5874 consumed by this use. 5876 Therefore, the 418 status code is reserved in the IANA HTTP Status 5877 Code registry. This indicates that the status code cannot be 5878 assigned to other applications currently. If future circumstances 5879 require its use (e.g., exhaustion of 4NN status codes), it can be re- 5880 assigned to another use. 5882 9.5.20. 422 Unprocessable Entity 5884 The 422 (Unprocessable Entity) status code indicates that the server 5885 understands the content type of the request entity (hence a 415 5886 (Unsupported Media Type) status code is inappropriate), and the 5887 syntax of the request entity is correct but was unable to process the 5888 contained instructions. For example, this error condition may occur 5889 if an XML request body contains well-formed (i.e., syntactically 5890 correct), but semantically erroneous, XML instructions. 5892 9.5.21. 426 Upgrade Required 5894 The 426 (Upgrade Required) status code indicates that the server 5895 refuses to perform the request using the current protocol but might 5896 be willing to do so after the client upgrades to a different 5897 protocol. The server MUST send an Upgrade header field in a 426 5898 response to indicate the required protocol(s) (Section 9.8 of 5899 [Messaging]). 5901 Example: 5903 HTTP/1.1 426 Upgrade Required 5904 Upgrade: HTTP/3.0 5905 Connection: Upgrade 5906 Content-Length: 53 5907 Content-Type: text/plain 5909 This service requires use of the HTTP/3.0 protocol. 5911 9.6. Server Error 5xx 5913 The 5xx (Server Error) class of status code indicates that the server 5914 is aware that it has erred or is incapable of performing the 5915 requested method. Except when responding to a HEAD request, the 5916 server SHOULD send a representation containing an explanation of the 5917 error situation, and whether it is a temporary or permanent 5918 condition. A user agent SHOULD display any included representation 5919 to the user. These response codes are applicable to any request 5920 method. 5922 9.6.1. 500 Internal Server Error 5924 The 500 (Internal Server Error) status code indicates that the server 5925 encountered an unexpected condition that prevented it from fulfilling 5926 the request. 5928 9.6.2. 501 Not Implemented 5930 The 501 (Not Implemented) status code indicates that the server does 5931 not support the functionality required to fulfill the request. This 5932 is the appropriate response when the server does not recognize the 5933 request method and is not capable of supporting it for any resource. 5935 A 501 response is cacheable by default; i.e., unless otherwise 5936 indicated by the method definition or explicit cache controls (see 5937 Section 4.2.2 of [Caching]). 5939 9.6.3. 502 Bad Gateway 5941 The 502 (Bad Gateway) status code indicates that the server, while 5942 acting as a gateway or proxy, received an invalid response from an 5943 inbound server it accessed while attempting to fulfill the request. 5945 9.6.4. 503 Service Unavailable 5947 The 503 (Service Unavailable) status code indicates that the server 5948 is currently unable to handle the request due to a temporary overload 5949 or scheduled maintenance, which will likely be alleviated after some 5950 delay. The server MAY send a Retry-After header field 5951 (Section 10.1.3) to suggest an appropriate amount of time for the 5952 client to wait before retrying the request. 5954 Note: The existence of the 503 status code does not imply that a 5955 server has to use it when becoming overloaded. Some servers might 5956 simply refuse the connection. 5958 9.6.5. 504 Gateway Timeout 5960 The 504 (Gateway Timeout) status code indicates that the server, 5961 while acting as a gateway or proxy, did not receive a timely response 5962 from an upstream server it needed to access in order to complete the 5963 request. 5965 9.6.6. 505 HTTP Version Not Supported 5967 The 505 (HTTP Version Not Supported) status code indicates that the 5968 server does not support, or refuses to support, the major version of 5969 HTTP that was used in the request message. The server is indicating 5970 that it is unable or unwilling to complete the request using the same 5971 major version as the client, as described in Section 3.5, other than 5972 with this error message. The server SHOULD generate a representation 5973 for the 505 response that describes why that version is not supported 5974 and what other protocols are supported by that server. 5976 9.7. Status Code Extensibility 5978 Additional status codes, outside the scope of this specification, 5979 have been specified for use in HTTP. All such status codes ought to 5980 be registered within the "Hypertext Transfer Protocol (HTTP) Status 5981 Code Registry". 5983 9.7.1. Status Code Registry 5985 The "Hypertext Transfer Protocol (HTTP) Status Code Registry", 5986 maintained by IANA at , registers status code numbers. 5989 A registration MUST include the following fields: 5991 o Status Code (3 digits) 5993 o Short Description 5995 o Pointer to specification text 5997 Values to be added to the HTTP status code namespace require IETF 5998 Review (see [RFC8126], Section 4.8). 6000 9.7.2. Considerations for New Status Codes 6002 When it is necessary to express semantics for a response that are not 6003 defined by current status codes, a new status code can be registered. 6004 Status codes are generic; they are potentially applicable to any 6005 resource, not just one particular media type, kind of resource, or 6006 application of HTTP. As such, it is preferred that new status codes 6007 be registered in a document that isn't specific to a single 6008 application. 6010 New status codes are required to fall under one of the categories 6011 defined in Section 9. To allow existing parsers to process the 6012 response message, new status codes cannot disallow a payload, 6013 although they can mandate a zero-length payload body. 6015 Proposals for new status codes that are not yet widely deployed ought 6016 to avoid allocating a specific number for the code until there is 6017 clear consensus that it will be registered; instead, early drafts can 6018 use a notation such as "4NN", or "3N0" .. "3N9", to indicate the 6019 class of the proposed status code(s) without consuming a number 6020 prematurely. 6022 The definition of a new status code ought to explain the request 6023 conditions that would cause a response containing that status code 6024 (e.g., combinations of request header fields and/or method(s)) along 6025 with any dependencies on response header fields (e.g., what fields 6026 are required, what fields can modify the semantics, and what header 6027 field semantics are further refined when used with the new status 6028 code). 6030 The definition of a new status code ought to specify whether or not 6031 it is cacheable. Note that all status codes can be cached if the 6032 response they occur in has explicit freshness information; however, 6033 status codes that are defined as being cacheable are allowed to be 6034 cached without explicit freshness information. Likewise, the 6035 definition of a status code can place constraints upon cache 6036 behavior. See [Caching] for more information. 6038 Finally, the definition of a new status code ought to indicate 6039 whether the payload has any implied association with an identified 6040 resource (Section 6.3.2). 6042 10. Response Header Fields 6044 The response header fields allow the server to pass additional 6045 information about the response beyond what is placed in the status- 6046 line. These header fields give information about the server, about 6047 further access to the target resource, or about related resources. 6049 Although each response header field has a defined meaning, in 6050 general, the precise semantics might be further refined by the 6051 semantics of the request method and/or response status code. 6053 10.1. Control Data 6055 Response header fields can supply control data that supplements the 6056 status code, directs caching, or instructs the client where to go 6057 next. 6059 +-------------------+--------------------------+ 6060 | Header Field Name | Defined in... | 6061 +-------------------+--------------------------+ 6062 | Age | Section 5.1 of [Caching] | 6063 | Cache-Control | Section 5.2 of [Caching] | 6064 | Expires | Section 5.3 of [Caching] | 6065 | Date | Section 10.1.1.2 | 6066 | Location | Section 10.1.2 | 6067 | Retry-After | Section 10.1.3 | 6068 | Vary | Section 10.1.4 | 6069 | Warning | Section 5.5 of [Caching] | 6070 +-------------------+--------------------------+ 6072 10.1.1. Origination Date 6074 10.1.1.1. Date/Time Formats 6076 Prior to 1995, there were three different formats commonly used by 6077 servers to communicate timestamps. For compatibility with old 6078 implementations, all three are defined here. The preferred format is 6079 a fixed-length and single-zone subset of the date and time 6080 specification used by the Internet Message Format [RFC5322]. 6082 HTTP-date = IMF-fixdate / obs-date 6084 An example of the preferred format is 6086 Sun, 06 Nov 1994 08:49:37 GMT ; IMF-fixdate 6088 Examples of the two obsolete formats are 6090 Sunday, 06-Nov-94 08:49:37 GMT ; obsolete RFC 850 format 6091 Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format 6093 A recipient that parses a timestamp value in an HTTP header field 6094 MUST accept all three HTTP-date formats. When a sender generates a 6095 header field that contains one or more timestamps defined as HTTP- 6096 date, the sender MUST generate those timestamps in the IMF-fixdate 6097 format. 6099 An HTTP-date value represents time as an instance of Coordinated 6100 Universal Time (UTC). The first two formats indicate UTC by the 6101 three-letter abbreviation for Greenwich Mean Time, "GMT", a 6102 predecessor of the UTC name; values in the asctime format are assumed 6103 to be in UTC. A sender that generates HTTP-date values from a local 6104 clock ought to use NTP ([RFC5905]) or some similar protocol to 6105 synchronize its clock to UTC. 6107 Preferred format: 6109 IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT 6110 ; fixed length/zone/capitalization subset of the format 6111 ; see Section 3.3 of [RFC5322] 6113 day-name = %s"Mon" / %s"Tue" / %s"Wed" 6114 / %s"Thu" / %s"Fri" / %s"Sat" / %s"Sun" 6116 date1 = day SP month SP year 6117 ; e.g., 02 Jun 1982 6119 day = 2DIGIT 6120 month = %s"Jan" / %s"Feb" / %s"Mar" / %s"Apr" 6121 / %s"May" / %s"Jun" / %s"Jul" / %s"Aug" 6122 / %s"Sep" / %s"Oct" / %s"Nov" / %s"Dec" 6123 year = 4DIGIT 6125 GMT = %s"GMT" 6127 time-of-day = hour ":" minute ":" second 6128 ; 00:00:00 - 23:59:60 (leap second) 6130 hour = 2DIGIT 6131 minute = 2DIGIT 6132 second = 2DIGIT 6134 Obsolete formats: 6136 obs-date = rfc850-date / asctime-date 6138 rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT 6139 date2 = day "-" month "-" 2DIGIT 6140 ; e.g., 02-Jun-82 6142 day-name-l = %s"Monday" / %s"Tuesday" / %s"Wednesday" 6143 / %s"Thursday" / %s"Friday" / %s"Saturday" / %s"Sunday" 6145 asctime-date = day-name SP date3 SP time-of-day SP year 6146 date3 = month SP ( 2DIGIT / ( SP 1DIGIT )) 6147 ; e.g., Jun 2 6149 HTTP-date is case sensitive. A sender MUST NOT generate additional 6150 whitespace in an HTTP-date beyond that specifically included as SP in 6151 the grammar. The semantics of day-name, day, month, year, and time- 6152 of-day are the same as those defined for the Internet Message Format 6153 constructs with the corresponding name ([RFC5322], Section 3.3). 6155 Recipients of a timestamp value in rfc850-date format, which uses a 6156 two-digit year, MUST interpret a timestamp that appears to be more 6157 than 50 years in the future as representing the most recent year in 6158 the past that had the same last two digits. 6160 Recipients of timestamp values are encouraged to be robust in parsing 6161 timestamps unless otherwise restricted by the field definition. For 6162 example, messages are occasionally forwarded over HTTP from a non- 6163 HTTP source that might generate any of the date and time 6164 specifications defined by the Internet Message Format. 6166 Note: HTTP requirements for the date/time stamp format apply only 6167 to their usage within the protocol stream. Implementations are 6168 not required to use these formats for user presentation, request 6169 logging, etc. 6171 10.1.1.2. Date 6173 The "Date" header field represents the date and time at which the 6174 message was originated, having the same semantics as the Origination 6175 Date Field (orig-date) defined in Section 3.6.1 of [RFC5322]. The 6176 field value is an HTTP-date, as defined in Section 10.1.1.1. 6178 Date = HTTP-date 6180 An example is 6182 Date: Tue, 15 Nov 1994 08:12:31 GMT 6184 When a Date header field is generated, the sender SHOULD generate its 6185 field value as the best available approximation of the date and time 6186 of message generation. In theory, the date ought to represent the 6187 moment just before the payload is generated. In practice, the date 6188 can be generated at any time during message origination. 6190 An origin server MUST NOT send a Date header field if it does not 6191 have a clock capable of providing a reasonable approximation of the 6192 current instance in Coordinated Universal Time. An origin server MAY 6193 send a Date header field if the response is in the 1xx 6194 (Informational) or 5xx (Server Error) class of status codes. An 6195 origin server MUST send a Date header field in all other cases. 6197 A recipient with a clock that receives a response message without a 6198 Date header field MUST record the time it was received and append a 6199 corresponding Date header field to the message's header section if it 6200 is cached or forwarded downstream. 6202 A user agent MAY send a Date header field in a request, though 6203 generally will not do so unless it is believed to convey useful 6204 information to the server. For example, custom applications of HTTP 6205 might convey a Date if the server is expected to adjust its 6206 interpretation of the user's request based on differences between the 6207 user agent and server clocks. 6209 10.1.2. Location 6211 The "Location" header field is used in some responses to refer to a 6212 specific resource in relation to the response. The type of 6213 relationship is defined by the combination of request method and 6214 status code semantics. 6216 Location = URI-reference 6218 The field value consists of a single URI-reference. When it has the 6219 form of a relative reference ([RFC3986], Section 4.2), the final 6220 value is computed by resolving it against the effective request URI 6221 ([RFC3986], Section 5). 6223 For 201 (Created) responses, the Location value refers to the primary 6224 resource created by the request. For 3xx (Redirection) responses, 6225 the Location value refers to the preferred target resource for 6226 automatically redirecting the request. 6228 If the Location value provided in a 3xx (Redirection) response does 6229 not have a fragment component, a user agent MUST process the 6230 redirection as if the value inherits the fragment component of the 6231 URI reference used to generate the request target (i.e., the 6232 redirection inherits the original reference's fragment, if any). 6234 For example, a GET request generated for the URI reference 6235 "http://www.example.org/~tim" might result in a 303 (See Other) 6236 response containing the header field: 6238 Location: /People.html#tim 6240 which suggests that the user agent redirect to 6241 "http://www.example.org/People.html#tim" 6243 Likewise, a GET request generated for the URI reference 6244 "http://www.example.org/index.html#larry" might result in a 301 6245 (Moved Permanently) response containing the header field: 6247 Location: http://www.example.net/index.html 6249 which suggests that the user agent redirect to 6250 "http://www.example.net/index.html#larry", preserving the original 6251 fragment identifier. 6253 There are circumstances in which a fragment identifier in a Location 6254 value would not be appropriate. For example, the Location header 6255 field in a 201 (Created) response is supposed to provide a URI that 6256 is specific to the created resource. 6258 Note: Some recipients attempt to recover from Location fields that 6259 are not valid URI references. This specification does not mandate 6260 or define such processing, but does allow it for the sake of 6261 robustness. 6263 Note: The Content-Location header field (Section 6.2.5) differs 6264 from Location in that the Content-Location refers to the most 6265 specific resource corresponding to the enclosed representation. 6266 It is therefore possible for a response to contain both the 6267 Location and Content-Location header fields. 6269 10.1.3. Retry-After 6271 Servers send the "Retry-After" header field to indicate how long the 6272 user agent ought to wait before making a follow-up request. When 6273 sent with a 503 (Service Unavailable) response, Retry-After indicates 6274 how long the service is expected to be unavailable to the client. 6275 When sent with any 3xx (Redirection) response, Retry-After indicates 6276 the minimum time that the user agent is asked to wait before issuing 6277 the redirected request. 6279 The value of this field can be either an HTTP-date or a number of 6280 seconds to delay after the response is received. 6282 Retry-After = HTTP-date / delay-seconds 6284 A delay-seconds value is a non-negative decimal integer, representing 6285 time in seconds. 6287 delay-seconds = 1*DIGIT 6289 Two examples of its use are 6291 Retry-After: Fri, 31 Dec 1999 23:59:59 GMT 6292 Retry-After: 120 6294 In the latter example, the delay is 2 minutes. 6296 10.1.4. Vary 6298 The "Vary" header field in a response describes what parts of a 6299 request message, aside from the method, Host header field, and 6300 request target, might influence the origin server's process for 6301 selecting and representing this response. The value consists of 6302 either a single asterisk ("*") or a list of header field names (case- 6303 insensitive). 6305 Vary = "*" / 1#field-name 6307 A Vary field value of "*" signals that anything about the request 6308 might play a role in selecting the response representation, possibly 6309 including elements outside the message syntax (e.g., the client's 6310 network address). A recipient will not be able to determine whether 6311 this response is appropriate for a later request without forwarding 6312 the request to the origin server. A proxy MUST NOT generate a Vary 6313 field with a "*" value. 6315 A Vary field value consisting of a comma-separated list of names 6316 indicates that the named request header fields, known as the 6317 selecting header fields, might have a role in selecting the 6318 representation. The potential selecting header fields are not 6319 limited to those defined by this specification. 6321 For example, a response that contains 6323 Vary: accept-encoding, accept-language 6325 indicates that the origin server might have used the request's 6326 Accept-Encoding and Accept-Language fields (or lack thereof) as 6327 determining factors while choosing the content for this response. 6329 An origin server might send Vary with a list of fields for two 6330 purposes: 6332 1. To inform cache recipients that they MUST NOT use this response 6333 to satisfy a later request unless the later request has the same 6334 values for the listed fields as the original request (Section 4.1 6335 of [Caching]). In other words, Vary expands the cache key 6336 required to match a new request to the stored cache entry. 6338 2. To inform user agent recipients that this response is subject to 6339 content negotiation (Section 8.4) and that a different 6340 representation might be sent in a subsequent request if 6341 additional parameters are provided in the listed header fields 6342 (proactive negotiation). 6344 An origin server SHOULD send a Vary header field when its algorithm 6345 for selecting a representation varies based on aspects of the request 6346 message other than the method and request target, unless the variance 6347 cannot be crossed or the origin server has been deliberately 6348 configured to prevent cache transparency. For example, there is no 6349 need to send the Authorization field name in Vary because reuse 6350 across users is constrained by the field definition (Section 8.5.3). 6351 Likewise, an origin server might use Cache-Control response 6352 directives (Section 5.2 of [Caching]) to supplant Vary if it 6353 considers the variance less significant than the performance cost of 6354 Vary's impact on caching. 6356 10.2. Validators 6358 Validator header fields convey metadata about the selected 6359 representation (Section 6). In responses to safe requests, validator 6360 fields describe the selected representation chosen by the origin 6361 server while handling the response. Note that, depending on the 6362 status code semantics, the selected representation for a given 6363 response is not necessarily the same as the representation enclosed 6364 as response payload. 6366 In a successful response to a state-changing request, validator 6367 fields describe the new representation that has replaced the prior 6368 selected representation as a result of processing the request. 6370 For example, an ETag header field in a 201 (Created) response 6371 communicates the entity-tag of the newly created resource's 6372 representation, so that it can be used in later conditional requests 6373 to prevent the "lost update" problem Section 8.2. 6375 +-------------------+----------------+ 6376 | Header Field Name | Defined in... | 6377 +-------------------+----------------+ 6378 | ETag | Section 10.2.3 | 6379 | Last-Modified | Section 10.2.2 | 6380 +-------------------+----------------+ 6382 This specification defines two forms of metadata that are commonly 6383 used to observe resource state and test for preconditions: 6384 modification dates (Section 10.2.2) and opaque entity tags 6385 (Section 10.2.3). Additional metadata that reflects resource state 6386 has been defined by various extensions of HTTP, such as Web 6387 Distributed Authoring and Versioning (WebDAV, [RFC4918]), that are 6388 beyond the scope of this specification. A resource metadata value is 6389 referred to as a "validator" when it is used within a precondition. 6391 10.2.1. Weak versus Strong 6393 Validators come in two flavors: strong or weak. Weak validators are 6394 easy to generate but are far less useful for comparisons. Strong 6395 validators are ideal for comparisons but can be very difficult (and 6396 occasionally impossible) to generate efficiently. Rather than impose 6397 that all forms of resource adhere to the same strength of validator, 6398 HTTP exposes the type of validator in use and imposes restrictions on 6399 when weak validators can be used as preconditions. 6401 A "strong validator" is representation metadata that changes value 6402 whenever a change occurs to the representation data that would be 6403 observable in the payload body of a 200 (OK) response to GET. 6405 A strong validator might change for reasons other than a change to 6406 the representation data, such as when a semantically significant part 6407 of the representation metadata is changed (e.g., Content-Type), but 6408 it is in the best interests of the origin server to only change the 6409 value when it is necessary to invalidate the stored responses held by 6410 remote caches and authoring tools. 6412 Cache entries might persist for arbitrarily long periods, regardless 6413 of expiration times. Thus, a cache might attempt to validate an 6414 entry using a validator that it obtained in the distant past. A 6415 strong validator is unique across all versions of all representations 6416 associated with a particular resource over time. However, there is 6417 no implication of uniqueness across representations of different 6418 resources (i.e., the same strong validator might be in use for 6419 representations of multiple resources at the same time and does not 6420 imply that those representations are equivalent). 6422 There are a variety of strong validators used in practice. The best 6423 are based on strict revision control, wherein each change to a 6424 representation always results in a unique node name and revision 6425 identifier being assigned before the representation is made 6426 accessible to GET. A collision-resistant hash function applied to 6427 the representation data is also sufficient if the data is available 6428 prior to the response header fields being sent and the digest does 6429 not need to be recalculated every time a validation request is 6430 received. However, if a resource has distinct representations that 6431 differ only in their metadata, such as might occur with content 6432 negotiation over media types that happen to share the same data 6433 format, then the origin server needs to incorporate additional 6434 information in the validator to distinguish those representations. 6436 In contrast, a "weak validator" is representation metadata that might 6437 not change for every change to the representation data. This 6438 weakness might be due to limitations in how the value is calculated, 6439 such as clock resolution, an inability to ensure uniqueness for all 6440 possible representations of the resource, or a desire of the resource 6441 owner to group representations by some self-determined set of 6442 equivalency rather than unique sequences of data. An origin server 6443 SHOULD change a weak entity-tag whenever it considers prior 6444 representations to be unacceptable as a substitute for the current 6445 representation. In other words, a weak entity-tag ought to change 6446 whenever the origin server wants caches to invalidate old responses. 6448 For example, the representation of a weather report that changes in 6449 content every second, based on dynamic measurements, might be grouped 6450 into sets of equivalent representations (from the origin server's 6451 perspective) with the same weak validator in order to allow cached 6452 representations to be valid for a reasonable period of time (perhaps 6453 adjusted dynamically based on server load or weather quality). 6454 Likewise, a representation's modification time, if defined with only 6455 one-second resolution, might be a weak validator if it is possible 6456 for the representation to be modified twice during a single second 6457 and retrieved between those modifications. 6459 Likewise, a validator is weak if it is shared by two or more 6460 representations of a given resource at the same time, unless those 6461 representations have identical representation data. For example, if 6462 the origin server sends the same validator for a representation with 6463 a gzip content coding applied as it does for a representation with no 6464 content coding, then that validator is weak. However, two 6465 simultaneous representations might share the same strong validator if 6466 they differ only in the representation metadata, such as when two 6467 different media types are available for the same representation data. 6469 Strong validators are usable for all conditional requests, including 6470 cache validation, partial content ranges, and "lost update" 6471 avoidance. Weak validators are only usable when the client does not 6472 require exact equality with previously obtained representation data, 6473 such as when validating a cache entry or limiting a web traversal to 6474 recent changes. 6476 10.2.2. Last-Modified 6478 The "Last-Modified" header field in a response provides a timestamp 6479 indicating the date and time at which the origin server believes the 6480 selected representation was last modified, as determined at the 6481 conclusion of handling the request. 6483 Last-Modified = HTTP-date 6485 An example of its use is 6487 Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT 6489 10.2.2.1. Generation 6491 An origin server SHOULD send Last-Modified for any selected 6492 representation for which a last modification date can be reasonably 6493 and consistently determined, since its use in conditional requests 6494 and evaluating cache freshness ([Caching]) results in a substantial 6495 reduction of HTTP traffic on the Internet and can be a significant 6496 factor in improving service scalability and reliability. 6498 A representation is typically the sum of many parts behind the 6499 resource interface. The last-modified time would usually be the most 6500 recent time that any of those parts were changed. How that value is 6501 determined for any given resource is an implementation detail beyond 6502 the scope of this specification. What matters to HTTP is how 6503 recipients of the Last-Modified header field can use its value to 6504 make conditional requests and test the validity of locally cached 6505 responses. 6507 An origin server SHOULD obtain the Last-Modified value of the 6508 representation as close as possible to the time that it generates the 6509 Date field value for its response. This allows a recipient to make 6510 an accurate assessment of the representation's modification time, 6511 especially if the representation changes near the time that the 6512 response is generated. 6514 An origin server with a clock MUST NOT send a Last-Modified date that 6515 is later than the server's time of message origination (Date). If 6516 the last modification time is derived from implementation-specific 6517 metadata that evaluates to some time in the future, according to the 6518 origin server's clock, then the origin server MUST replace that value 6519 with the message origination date. This prevents a future 6520 modification date from having an adverse impact on cache validation. 6522 An origin server without a clock MUST NOT assign Last-Modified values 6523 to a response unless these values were associated with the resource 6524 by some other system or user with a reliable clock. 6526 10.2.2.2. Comparison 6528 A Last-Modified time, when used as a validator in a request, is 6529 implicitly weak unless it is possible to deduce that it is strong, 6530 using the following rules: 6532 o The validator is being compared by an origin server to the actual 6533 current validator for the representation and, 6535 o That origin server reliably knows that the associated 6536 representation did not change twice during the second covered by 6537 the presented validator. 6539 or 6541 o The validator is about to be used by a client in an If-Modified- 6542 Since, If-Unmodified-Since, or If-Range header field, because the 6543 client has a cache entry for the associated representation, and 6545 o That cache entry includes a Date value, which gives the time when 6546 the origin server sent the original response, and 6548 o The presented Last-Modified time is at least 60 seconds before the 6549 Date value. 6551 or 6553 o The validator is being compared by an intermediate cache to the 6554 validator stored in its cache entry for the representation, and 6556 o That cache entry includes a Date value, which gives the time when 6557 the origin server sent the original response, and 6559 o The presented Last-Modified time is at least 60 seconds before the 6560 Date value. 6562 This method relies on the fact that if two different responses were 6563 sent by the origin server during the same second, but both had the 6564 same Last-Modified time, then at least one of those responses would 6565 have a Date value equal to its Last-Modified time. The arbitrary 6566 60-second limit guards against the possibility that the Date and 6567 Last-Modified values are generated from different clocks or at 6568 somewhat different times during the preparation of the response. An 6569 implementation MAY use a value larger than 60 seconds, if it is 6570 believed that 60 seconds is too short. 6572 10.2.3. ETag 6574 The "ETag" header field in a response provides the current entity-tag 6575 for the selected representation, as determined at the conclusion of 6576 handling the request. An entity-tag is an opaque validator for 6577 differentiating between multiple representations of the same 6578 resource, regardless of whether those multiple representations are 6579 due to resource state changes over time, content negotiation 6580 resulting in multiple representations being valid at the same time, 6581 or both. An entity-tag consists of an opaque quoted string, possibly 6582 prefixed by a weakness indicator. 6584 ETag = entity-tag 6586 entity-tag = [ weak ] opaque-tag 6587 weak = %s"W/" 6588 opaque-tag = DQUOTE *etagc DQUOTE 6589 etagc = %x21 / %x23-7E / obs-text 6590 ; VCHAR except double quotes, plus obs-text 6592 Note: Previously, opaque-tag was defined to be a quoted-string 6593 ([RFC2616], Section 3.11); thus, some recipients might perform 6594 backslash unescaping. Servers therefore ought to avoid backslash 6595 characters in entity tags. 6597 An entity-tag can be more reliable for validation than a modification 6598 date in situations where it is inconvenient to store modification 6599 dates, where the one-second resolution of HTTP date values is not 6600 sufficient, or where modification dates are not consistently 6601 maintained. 6603 Examples: 6605 ETag: "xyzzy" 6606 ETag: W/"xyzzy" 6607 ETag: "" 6609 An entity-tag can be either a weak or strong validator, with strong 6610 being the default. If an origin server provides an entity-tag for a 6611 representation and the generation of that entity-tag does not satisfy 6612 all of the characteristics of a strong validator (Section 10.2.1), 6613 then the origin server MUST mark the entity-tag as weak by prefixing 6614 its opaque value with "W/" (case-sensitive). 6616 10.2.3.1. Generation 6618 The principle behind entity-tags is that only the service author 6619 knows the implementation of a resource well enough to select the most 6620 accurate and efficient validation mechanism for that resource, and 6621 that any such mechanism can be mapped to a simple sequence of octets 6622 for easy comparison. Since the value is opaque, there is no need for 6623 the client to be aware of how each entity-tag is constructed. 6625 For example, a resource that has implementation-specific versioning 6626 applied to all changes might use an internal revision number, perhaps 6627 combined with a variance identifier for content negotiation, to 6628 accurately differentiate between representations. Other 6629 implementations might use a collision-resistant hash of 6630 representation content, a combination of various file attributes, or 6631 a modification timestamp that has sub-second resolution. 6633 An origin server SHOULD send an ETag for any selected representation 6634 for which detection of changes can be reasonably and consistently 6635 determined, since the entity-tag's use in conditional requests and 6636 evaluating cache freshness ([Caching]) can result in a substantial 6637 reduction of HTTP network traffic and can be a significant factor in 6638 improving service scalability and reliability. 6640 10.2.3.2. Comparison 6642 There are two entity-tag comparison functions, depending on whether 6643 or not the comparison context allows the use of weak validators: 6645 o Strong comparison: two entity-tags are equivalent if both are not 6646 weak and their opaque-tags match character-by-character. 6648 o Weak comparison: two entity-tags are equivalent if their opaque- 6649 tags match character-by-character, regardless of either or both 6650 being tagged as "weak". 6652 The example below shows the results for a set of entity-tag pairs and 6653 both the weak and strong comparison function results: 6655 +--------+--------+-------------------+-----------------+ 6656 | ETag 1 | ETag 2 | Strong Comparison | Weak Comparison | 6657 +--------+--------+-------------------+-----------------+ 6658 | W/"1" | W/"1" | no match | match | 6659 | W/"1" | W/"2" | no match | no match | 6660 | W/"1" | "1" | no match | match | 6661 | "1" | "1" | match | match | 6662 +--------+--------+-------------------+-----------------+ 6664 10.2.3.3. Example: Entity-Tags Varying on Content-Negotiated Resources 6666 Consider a resource that is subject to content negotiation 6667 (Section 6.4), and where the representations sent in response to a 6668 GET request vary based on the Accept-Encoding request header field 6669 (Section 8.4.4): 6671 >> Request: 6673 GET /index HTTP/1.1 6674 Host: www.example.com 6675 Accept-Encoding: gzip 6677 In this case, the response might or might not use the gzip content 6678 coding. If it does not, the response might look like: 6680 >> Response: 6682 HTTP/1.1 200 OK 6683 Date: Fri, 26 Mar 2010 00:05:00 GMT 6684 ETag: "123-a" 6685 Content-Length: 70 6686 Vary: Accept-Encoding 6687 Content-Type: text/plain 6689 Hello World! 6690 Hello World! 6691 Hello World! 6692 Hello World! 6693 Hello World! 6695 An alternative representation that does use gzip content coding would 6696 be: 6698 >> Response: 6700 HTTP/1.1 200 OK 6701 Date: Fri, 26 Mar 2010 00:05:00 GMT 6702 ETag: "123-b" 6703 Content-Length: 43 6704 Vary: Accept-Encoding 6705 Content-Type: text/plain 6706 Content-Encoding: gzip 6708 ...binary data... 6710 Note: Content codings are a property of the representation data, 6711 so a strong entity-tag for a content-encoded representation has to 6712 be distinct from the entity tag of an unencoded representation to 6713 prevent potential conflicts during cache updates and range 6714 requests. In contrast, transfer codings (Section 7 of 6715 [Messaging]) apply only during message transfer and do not result 6716 in distinct entity-tags. 6718 10.2.4. When to Use Entity-Tags and Last-Modified Dates 6720 In 200 (OK) responses to GET or HEAD, an origin server: 6722 o SHOULD send an entity-tag validator unless it is not feasible to 6723 generate one. 6725 o MAY send a weak entity-tag instead of a strong entity-tag, if 6726 performance considerations support the use of weak entity-tags, or 6727 if it is unfeasible to send a strong entity-tag. 6729 o SHOULD send a Last-Modified value if it is feasible to send one. 6731 In other words, the preferred behavior for an origin server is to 6732 send both a strong entity-tag and a Last-Modified value in successful 6733 responses to a retrieval request. 6735 A client: 6737 o MUST send that entity-tag in any cache validation request (using 6738 If-Match or If-None-Match) if an entity-tag has been provided by 6739 the origin server. 6741 o SHOULD send the Last-Modified value in non-subrange cache 6742 validation requests (using If-Modified-Since) if only a Last- 6743 Modified value has been provided by the origin server. 6745 o MAY send the Last-Modified value in subrange cache validation 6746 requests (using If-Unmodified-Since) if only a Last-Modified value 6747 has been provided by an HTTP/1.0 origin server. The user agent 6748 SHOULD provide a way to disable this, in case of difficulty. 6750 o SHOULD send both validators in cache validation requests if both 6751 an entity-tag and a Last-Modified value have been provided by the 6752 origin server. This allows both HTTP/1.0 and HTTP/1.1 caches to 6753 respond appropriately. 6755 10.3. Authentication Challenges 6757 Authentication challenges indicate what mechanisms are available for 6758 the client to provide authentication credentials in future requests. 6760 +--------------------+----------------+ 6761 | Header Field Name | Defined in... | 6762 +--------------------+----------------+ 6763 | WWW-Authenticate | Section 10.3.1 | 6764 | Proxy-Authenticate | Section 10.3.2 | 6765 +--------------------+----------------+ 6766 Furthermore, the "Authentication-Info" and "Proxy-Authentication- 6767 Info" response header fields are defined for use in authentication 6768 schemes that need to return information once the client's 6769 authentication credentials have been accepted. 6771 +---------------------------+----------------+ 6772 | Header Field Name | Defined in... | 6773 +---------------------------+----------------+ 6774 | Authentication-Info | Section 10.3.3 | 6775 | Proxy-Authentication-Info | Section 10.3.4 | 6776 +---------------------------+----------------+ 6778 10.3.1. WWW-Authenticate 6780 The "WWW-Authenticate" header field indicates the authentication 6781 scheme(s) and parameters applicable to the target resource. 6783 WWW-Authenticate = 1#challenge 6785 A server generating a 401 (Unauthorized) response MUST send a WWW- 6786 Authenticate header field containing at least one challenge. A 6787 server MAY generate a WWW-Authenticate header field in other response 6788 messages to indicate that supplying credentials (or different 6789 credentials) might affect the response. 6791 A proxy forwarding a response MUST NOT modify any WWW-Authenticate 6792 fields in that response. 6794 User agents are advised to take special care in parsing the field 6795 value, as it might contain more than one challenge, and each 6796 challenge can contain a comma-separated list of authentication 6797 parameters. Furthermore, the header field itself can occur multiple 6798 times. 6800 For instance: 6802 WWW-Authenticate: Newauth realm="apps", type=1, 6803 title="Login to \"apps\"", Basic realm="simple" 6805 This header field contains two challenges; one for the "Newauth" 6806 scheme with a realm value of "apps", and two additional parameters 6807 "type" and "title", and another one for the "Basic" scheme with a 6808 realm value of "simple". 6810 Note: The challenge grammar production uses the list syntax as 6811 well. Therefore, a sequence of comma, whitespace, and comma can 6812 be considered either as applying to the preceding challenge, or to 6813 be an empty entry in the list of challenges. In practice, this 6814 ambiguity does not affect the semantics of the header field value 6815 and thus is harmless. 6817 10.3.2. Proxy-Authenticate 6819 The "Proxy-Authenticate" header field consists of at least one 6820 challenge that indicates the authentication scheme(s) and parameters 6821 applicable to the proxy for this effective request URI (Section 5.3). 6822 A proxy MUST send at least one Proxy-Authenticate header field in 6823 each 407 (Proxy Authentication Required) response that it generates. 6825 Proxy-Authenticate = 1#challenge 6827 Unlike WWW-Authenticate, the Proxy-Authenticate header field applies 6828 only to the next outbound client on the response chain. This is 6829 because only the client that chose a given proxy is likely to have 6830 the credentials necessary for authentication. However, when multiple 6831 proxies are used within the same administrative domain, such as 6832 office and regional caching proxies within a large corporate network, 6833 it is common for credentials to be generated by the user agent and 6834 passed through the hierarchy until consumed. Hence, in such a 6835 configuration, it will appear as if Proxy-Authenticate is being 6836 forwarded because each proxy will send the same challenge set. 6838 Note that the parsing considerations for WWW-Authenticate apply to 6839 this header field as well; see Section 10.3.1 for details. 6841 10.3.3. Authentication-Info 6843 HTTP authentication schemes can use the Authentication-Info response 6844 header field to communicate information after the client's 6845 authentication credentials have been accepted. This information can 6846 include a finalization message from the server (e.g., it can contain 6847 the server authentication). 6849 The field value is a list of parameters (name/value pairs), using the 6850 "auth-param" syntax defined in Section 8.5.1. This specification 6851 only describes the generic format; authentication schemes using 6852 Authentication-Info will define the individual parameters. The 6853 "Digest" Authentication Scheme, for instance, defines multiple 6854 parameters in Section 3.5 of [RFC7616]. 6856 Authentication-Info = #auth-param 6858 The Authentication-Info header field can be used in any HTTP 6859 response, independently of request method and status code. Its 6860 semantics are defined by the authentication scheme indicated by the 6861 Authorization header field (Section 8.5.3) of the corresponding 6862 request. 6864 A proxy forwarding a response is not allowed to modify the field 6865 value in any way. 6867 Authentication-Info can be used inside trailers (Section 7.1.2 of 6868 [Messaging]) when the authentication scheme explicitly allows this. 6870 10.3.3.1. Parameter Value Format 6872 Parameter values can be expressed either as "token" or as "quoted- 6873 string" (Section 4.2.3). 6875 Authentication scheme definitions need to allow both notations, both 6876 for senders and recipients. This allows recipients to use generic 6877 parsing components, independent of the authentication scheme in use. 6879 For backwards compatibility, authentication scheme definitions can 6880 restrict the format for senders to one of the two variants. This can 6881 be important when it is known that deployed implementations will fail 6882 when encountering one of the two formats. 6884 10.3.4. Proxy-Authentication-Info 6886 The Proxy-Authentication-Info response header field is equivalent to 6887 Authentication-Info, except that it applies to proxy authentication 6888 (Section 8.5.1) and its semantics are defined by the authentication 6889 scheme indicated by the Proxy-Authorization header field 6890 (Section 8.5.4) of the corresponding request: 6892 Proxy-Authentication-Info = #auth-param 6894 However, unlike Authentication-Info, the Proxy-Authentication-Info 6895 header field applies only to the next outbound client on the response 6896 chain. This is because only the client that chose a given proxy is 6897 likely to have the credentials necessary for authentication. 6898 However, when multiple proxies are used within the same 6899 administrative domain, such as office and regional caching proxies 6900 within a large corporate network, it is common for credentials to be 6901 generated by the user agent and passed through the hierarchy until 6902 consumed. Hence, in such a configuration, it will appear as if 6903 Proxy-Authentication-Info is being forwarded because each proxy will 6904 send the same field value. 6906 10.4. Response Context 6908 The remaining response header fields provide more information about 6909 the target resource for potential use in later requests. 6911 +-------------------+----------------+ 6912 | Header Field Name | Defined in... | 6913 +-------------------+----------------+ 6914 | Accept-Ranges | Section 10.4.1 | 6915 | Allow | Section 10.4.2 | 6916 | Server | Section 10.4.3 | 6917 +-------------------+----------------+ 6919 10.4.1. Accept-Ranges 6921 The "Accept-Ranges" header field allows a server to indicate that it 6922 supports range requests for the target resource. 6924 Accept-Ranges = acceptable-ranges 6925 acceptable-ranges = 1#range-unit / "none" 6927 An origin server that supports byte-range requests for a given target 6928 resource MAY send 6930 Accept-Ranges: bytes 6932 to indicate what range units are supported. A client MAY generate 6933 range requests without having received this header field for the 6934 resource involved. Range units are defined in Section 6.1.4. 6936 A server that does not support any kind of range request for the 6937 target resource MAY send 6939 Accept-Ranges: none 6941 to advise the client not to attempt a range request. 6943 10.4.2. Allow 6945 The "Allow" header field lists the set of methods advertised as 6946 supported by the target resource. The purpose of this field is 6947 strictly to inform the recipient of valid request methods associated 6948 with the resource. 6950 Allow = #method 6952 Example of use: 6954 Allow: GET, HEAD, PUT 6956 The actual set of allowed methods is defined by the origin server at 6957 the time of each request. An origin server MUST generate an Allow 6958 field in a 405 (Method Not Allowed) response and MAY do so in any 6959 other response. An empty Allow field value indicates that the 6960 resource allows no methods, which might occur in a 405 response if 6961 the resource has been temporarily disabled by configuration. 6963 A proxy MUST NOT modify the Allow header field -- it does not need to 6964 understand all of the indicated methods in order to handle them 6965 according to the generic message handling rules. 6967 10.4.3. Server 6969 The "Server" header field contains information about the software 6970 used by the origin server to handle the request, which is often used 6971 by clients to help identify the scope of reported interoperability 6972 problems, to work around or tailor requests to avoid particular 6973 server limitations, and for analytics regarding server or operating 6974 system use. An origin server MAY generate a Server field in its 6975 responses. 6977 Server = product *( RWS ( product / comment ) ) 6979 The Server field-value consists of one or more product identifiers, 6980 each followed by zero or more comments (Section 5 of [Messaging]), 6981 which together identify the origin server software and its 6982 significant subproducts. By convention, the product identifiers are 6983 listed in decreasing order of their significance for identifying the 6984 origin server software. Each product identifier consists of a name 6985 and optional version, as defined in Section 8.6.3. 6987 Example: 6989 Server: CERN/3.0 libwww/2.17 6991 An origin server SHOULD NOT generate a Server field containing 6992 needlessly fine-grained detail and SHOULD limit the addition of 6993 subproducts by third parties. Overly long and detailed Server field 6994 values increase response latency and potentially reveal internal 6995 implementation details that might make it (slightly) easier for 6996 attackers to find and exploit known security holes. 6998 11. ABNF List Extension: #rule 7000 A #rule extension to the ABNF rules of [RFC5234] is used to improve 7001 readability in the definitions of some header field values. 7003 A construct "#" is defined, similar to "*", for defining comma- 7004 delimited lists of elements. The full form is "#element" 7005 indicating at least and at most elements, each separated by a 7006 single comma (",") and optional whitespace (OWS). 7008 In any production that uses the list construct, a sender MUST NOT 7009 generate empty list elements. In other words, a sender MUST generate 7010 lists that satisfy the following syntax: 7012 1#element => element *( OWS "," OWS element ) 7014 and: 7016 #element => [ 1#element ] 7018 and for n >= 1 and m > 1: 7020 #element => element *( OWS "," OWS element ) 7022 For compatibility with legacy list rules, a recipient MUST parse and 7023 ignore a reasonable number of empty list elements: enough to handle 7024 common mistakes by senders that merge values, but not so much that 7025 they could be used as a denial-of-service mechanism. In other words, 7026 a recipient MUST accept lists that satisfy the following syntax: 7028 #element => [ ( "," / element ) *( OWS "," [ OWS element ] ) ] 7030 1#element => *( "," OWS ) element *( OWS "," [ OWS element ] ) 7032 Empty elements do not contribute to the count of elements present. 7033 For example, given these ABNF productions: 7035 example-list = 1#example-list-elmt 7036 example-list-elmt = token ; see Section 4.2.3 7038 Then the following are valid values for example-list (not including 7039 the double quotes, which are present for delimitation only): 7041 "foo,bar" 7042 "foo ,bar," 7043 "foo , ,bar,charlie" 7045 In contrast, the following values would be invalid, since at least 7046 one non-empty element is required by the example-list production: 7048 "" 7049 "," 7050 ", ," 7052 Appendix A shows the collected ABNF for recipients after the list 7053 constructs have been expanded. 7055 12. Security Considerations 7057 This section is meant to inform developers, information providers, 7058 and users of known security concerns relevant to HTTP semantics and 7059 its use for transferring information over the Internet. 7060 Considerations related to message syntax, parsing, and routing are 7061 discussed in Section 11 of [Messaging]. 7063 The list of considerations below is not exhaustive. Most security 7064 concerns related to HTTP semantics are about securing server-side 7065 applications (code behind the HTTP interface), securing user agent 7066 processing of payloads received via HTTP, or secure use of the 7067 Internet in general, rather than security of the protocol. Various 7068 organizations maintain topical information and links to current 7069 research on Web application security (e.g., [OWASP]). 7071 12.1. Establishing Authority 7073 HTTP relies on the notion of an authoritative response: a response 7074 that has been determined by (or at the direction of) the authority 7075 identified within the target URI to be the most appropriate response 7076 for that request given the state of the target resource at the time 7077 of response message origination. Providing a response from a non- 7078 authoritative source, such as a shared cache, is often useful to 7079 improve performance and availability, but only to the extent that the 7080 source can be trusted or the distrusted response can be safely used. 7082 Unfortunately, establishing authority can be difficult. For example, 7083 phishing is an attack on the user's perception of authority, where 7084 that perception can be misled by presenting similar branding in 7085 hypertext, possibly aided by userinfo obfuscating the authority 7086 component (see Section 2.5.1). User agents can reduce the impact of 7087 phishing attacks by enabling users to easily inspect a target URI 7088 prior to making an action, by prominently distinguishing (or 7089 rejecting) userinfo when present, and by not sending stored 7090 credentials and cookies when the referring document is from an 7091 unknown or untrusted source. 7093 When a registered name is used in the authority component, the "http" 7094 URI scheme (Section 2.5.1) relies on the user's local name resolution 7095 service to determine where it can find authoritative responses. This 7096 means that any attack on a user's network host table, cached names, 7097 or name resolution libraries becomes an avenue for attack on 7098 establishing authority. Likewise, the user's choice of server for 7099 Domain Name Service (DNS), and the hierarchy of servers from which it 7100 obtains resolution results, could impact the authenticity of address 7101 mappings; DNS Security Extensions (DNSSEC, [RFC4033]) are one way to 7102 improve authenticity. 7104 Furthermore, after an IP address is obtained, establishing authority 7105 for an "http" URI is vulnerable to attacks on Internet Protocol 7106 routing. 7108 The "https" scheme (Section 2.5.2) is intended to prevent (or at 7109 least reveal) many of these potential attacks on establishing 7110 authority, provided that the negotiated TLS connection is secured and 7111 the client properly verifies that the communicating server's identity 7112 matches the target URI's authority component (see [RFC2818]). 7113 Correctly implementing such verification can be difficult (see 7114 [Georgiev]). 7116 12.2. Risks of Intermediaries 7118 By their very nature, HTTP intermediaries are men-in-the-middle and, 7119 thus, represent an opportunity for man-in-the-middle attacks. 7120 Compromise of the systems on which the intermediaries run can result 7121 in serious security and privacy problems. Intermediaries might have 7122 access to security-related information, personal information about 7123 individual users and organizations, and proprietary information 7124 belonging to users and content providers. A compromised 7125 intermediary, or an intermediary implemented or configured without 7126 regard to security and privacy considerations, might be used in the 7127 commission of a wide range of potential attacks. 7129 Intermediaries that contain a shared cache are especially vulnerable 7130 to cache poisoning attacks, as described in Section 7 of [Caching]. 7132 Implementers need to consider the privacy and security implications 7133 of their design and coding decisions, and of the configuration 7134 options they provide to operators (especially the default 7135 configuration). 7137 Users need to be aware that intermediaries are no more trustworthy 7138 than the people who run them; HTTP itself cannot solve this problem. 7140 12.3. Attacks Based on File and Path Names 7142 Origin servers frequently make use of their local file system to 7143 manage the mapping from effective request URI to resource 7144 representations. Most file systems are not designed to protect 7145 against malicious file or path names. Therefore, an origin server 7146 needs to avoid accessing names that have a special significance to 7147 the system when mapping the request target to files, folders, or 7148 directories. 7150 For example, UNIX, Microsoft Windows, and other operating systems use 7151 ".." as a path component to indicate a directory level above the 7152 current one, and they use specially named paths or file names to send 7153 data to system devices. Similar naming conventions might exist 7154 within other types of storage systems. Likewise, local storage 7155 systems have an annoying tendency to prefer user-friendliness over 7156 security when handling invalid or unexpected characters, 7157 recomposition of decomposed characters, and case-normalization of 7158 case-insensitive names. 7160 Attacks based on such special names tend to focus on either denial- 7161 of-service (e.g., telling the server to read from a COM port) or 7162 disclosure of configuration and source files that are not meant to be 7163 served. 7165 12.4. Attacks Based on Command, Code, or Query Injection 7167 Origin servers often use parameters within the URI as a means of 7168 identifying system services, selecting database entries, or choosing 7169 a data source. However, data received in a request cannot be 7170 trusted. An attacker could construct any of the request data 7171 elements (method, request-target, header fields, or body) to contain 7172 data that might be misinterpreted as a command, code, or query when 7173 passed through a command invocation, language interpreter, or 7174 database interface. 7176 For example, SQL injection is a common attack wherein additional 7177 query language is inserted within some part of the request-target or 7178 header fields (e.g., Host, Referer, etc.). If the received data is 7179 used directly within a SELECT statement, the query language might be 7180 interpreted as a database command instead of a simple string value. 7181 This type of implementation vulnerability is extremely common, in 7182 spite of being easy to prevent. 7184 In general, resource implementations ought to avoid use of request 7185 data in contexts that are processed or interpreted as instructions. 7186 Parameters ought to be compared to fixed strings and acted upon as a 7187 result of that comparison, rather than passed through an interface 7188 that is not prepared for untrusted data. Received data that isn't 7189 based on fixed parameters ought to be carefully filtered or encoded 7190 to avoid being misinterpreted. 7192 Similar considerations apply to request data when it is stored and 7193 later processed, such as within log files, monitoring tools, or when 7194 included within a data format that allows embedded scripts. 7196 12.5. Attacks via Protocol Element Length 7198 Because HTTP uses mostly textual, character-delimited fields, parsers 7199 are often vulnerable to attacks based on sending very long (or very 7200 slow) streams of data, particularly where an implementation is 7201 expecting a protocol element with no predefined length (Section 3.3). 7203 To promote interoperability, specific recommendations are made for 7204 minimum size limits on request-line (Section 3 of [Messaging]) and 7205 header fields (Section 5 of [Messaging]). These are minimum 7206 recommendations, chosen to be supportable even by implementations 7207 with limited resources; it is expected that most implementations will 7208 choose substantially higher limits. 7210 A server can reject a message that has a request-target that is too 7211 long (Section 9.5.15) or a request payload that is too large 7212 (Section 9.5.14). Additional status codes related to capacity limits 7213 have been defined by extensions to HTTP [RFC6585]. 7215 Recipients ought to carefully limit the extent to which they process 7216 other protocol elements, including (but not limited to) request 7217 methods, response status phrases, header field-names, numeric values, 7218 and body chunks. Failure to limit such processing can result in 7219 buffer overflows, arithmetic overflows, or increased vulnerability to 7220 denial-of-service attacks. 7222 12.6. Disclosure of Personal Information 7224 Clients are often privy to large amounts of personal information, 7225 including both information provided by the user to interact with 7226 resources (e.g., the user's name, location, mail address, passwords, 7227 encryption keys, etc.) and information about the user's browsing 7228 activity over time (e.g., history, bookmarks, etc.). Implementations 7229 need to prevent unintentional disclosure of personal information. 7231 12.7. Privacy of Server Log Information 7233 A server is in the position to save personal data about a user's 7234 requests over time, which might identify their reading patterns or 7235 subjects of interest. In particular, log information gathered at an 7236 intermediary often contains a history of user agent interaction, 7237 across a multitude of sites, that can be traced to individual users. 7239 HTTP log information is confidential in nature; its handling is often 7240 constrained by laws and regulations. Log information needs to be 7241 securely stored and appropriate guidelines followed for its analysis. 7242 Anonymization of personal information within individual entries 7243 helps, but it is generally not sufficient to prevent real log traces 7244 from being re-identified based on correlation with other access 7245 characteristics. As such, access traces that are keyed to a specific 7246 client are unsafe to publish even if the key is pseudonymous. 7248 To minimize the risk of theft or accidental publication, log 7249 information ought to be purged of personally identifiable 7250 information, including user identifiers, IP addresses, and user- 7251 provided query parameters, as soon as that information is no longer 7252 necessary to support operational needs for security, auditing, or 7253 fraud control. 7255 12.8. Disclosure of Sensitive Information in URIs 7257 URIs are intended to be shared, not secured, even when they identify 7258 secure resources. URIs are often shown on displays, added to 7259 templates when a page is printed, and stored in a variety of 7260 unprotected bookmark lists. It is therefore unwise to include 7261 information within a URI that is sensitive, personally identifiable, 7262 or a risk to disclose. 7264 Authors of services ought to avoid GET-based forms for the submission 7265 of sensitive data because that data will be placed in the request- 7266 target. Many existing servers, proxies, and user agents log or 7267 display the request-target in places where it might be visible to 7268 third parties. Such services ought to use POST-based form submission 7269 instead. 7271 Since the Referer header field tells a target site about the context 7272 that resulted in a request, it has the potential to reveal 7273 information about the user's immediate browsing history and any 7274 personal information that might be found in the referring resource's 7275 URI. Limitations on the Referer header field are described in 7276 Section 8.6.2 to address some of its security considerations. 7278 12.9. Disclosure of Fragment after Redirects 7280 Although fragment identifiers used within URI references are not sent 7281 in requests, implementers ought to be aware that they will be visible 7282 to the user agent and any extensions or scripts running as a result 7283 of the response. In particular, when a redirect occurs and the 7284 original request's fragment identifier is inherited by the new 7285 reference in Location (Section 10.1.2), this might have the effect of 7286 disclosing one site's fragment to another site. If the first site 7287 uses personal information in fragments, it ought to ensure that 7288 redirects to other sites include a (possibly empty) fragment 7289 component in order to block that inheritance. 7291 12.10. Disclosure of Product Information 7293 The User-Agent (Section 8.6.3), Via (Section 5.5.1), and Server 7294 (Section 10.4.3) header fields often reveal information about the 7295 respective sender's software systems. In theory, this can make it 7296 easier for an attacker to exploit known security holes; in practice, 7297 attackers tend to try all potential holes regardless of the apparent 7298 software versions being used. 7300 Proxies that serve as a portal through a network firewall ought to 7301 take special precautions regarding the transfer of header information 7302 that might identify hosts behind the firewall. The Via header field 7303 allows intermediaries to replace sensitive machine names with 7304 pseudonyms. 7306 12.11. Browser Fingerprinting 7308 Browser fingerprinting is a set of techniques for identifying a 7309 specific user agent over time through its unique set of 7310 characteristics. These characteristics might include information 7311 related to its TCP behavior, feature capabilities, and scripting 7312 environment, though of particular interest here is the set of unique 7313 characteristics that might be communicated via HTTP. Fingerprinting 7314 is considered a privacy concern because it enables tracking of a user 7315 agent's behavior over time without the corresponding controls that 7316 the user might have over other forms of data collection (e.g., 7317 cookies). Many general-purpose user agents (i.e., Web browsers) have 7318 taken steps to reduce their fingerprints. 7320 There are a number of request header fields that might reveal 7321 information to servers that is sufficiently unique to enable 7322 fingerprinting. The From header field is the most obvious, though it 7323 is expected that From will only be sent when self-identification is 7324 desired by the user. Likewise, Cookie header fields are deliberately 7325 designed to enable re-identification, so fingerprinting concerns only 7326 apply to situations where cookies are disabled or restricted by the 7327 user agent's configuration. 7329 The User-Agent header field might contain enough information to 7330 uniquely identify a specific device, usually when combined with other 7331 characteristics, particularly if the user agent sends excessive 7332 details about the user's system or extensions. However, the source 7333 of unique information that is least expected by users is proactive 7334 negotiation (Section 8.4), including the Accept, Accept-Charset, 7335 Accept-Encoding, and Accept-Language header fields. 7337 In addition to the fingerprinting concern, detailed use of the 7338 Accept-Language header field can reveal information the user might 7339 consider to be of a private nature. For example, understanding a 7340 given language set might be strongly correlated to membership in a 7341 particular ethnic group. An approach that limits such loss of 7342 privacy would be for a user agent to omit the sending of Accept- 7343 Language except for sites that have been whitelisted, perhaps via 7344 interaction after detecting a Vary header field that indicates 7345 language negotiation might be useful. 7347 In environments where proxies are used to enhance privacy, user 7348 agents ought to be conservative in sending proactive negotiation 7349 header fields. General-purpose user agents that provide a high 7350 degree of header field configurability ought to inform users about 7351 the loss of privacy that might result if too much detail is provided. 7352 As an extreme privacy measure, proxies could filter the proactive 7353 negotiation header fields in relayed requests. 7355 12.12. Validator Retention 7357 The validators defined by this specification are not intended to 7358 ensure the validity of a representation, guard against malicious 7359 changes, or detect man-in-the-middle attacks. At best, they enable 7360 more efficient cache updates and optimistic concurrent writes when 7361 all participants are behaving nicely. At worst, the conditions will 7362 fail and the client will receive a response that is no more harmful 7363 than an HTTP exchange without conditional requests. 7365 An entity-tag can be abused in ways that create privacy risks. For 7366 example, a site might deliberately construct a semantically invalid 7367 entity-tag that is unique to the user or user agent, send it in a 7368 cacheable response with a long freshness time, and then read that 7369 entity-tag in later conditional requests as a means of re-identifying 7370 that user or user agent. Such an identifying tag would become a 7371 persistent identifier for as long as the user agent retained the 7372 original cache entry. User agents that cache representations ought 7373 to ensure that the cache is cleared or replaced whenever the user 7374 performs privacy-maintaining actions, such as clearing stored cookies 7375 or changing to a private browsing mode. 7377 12.13. Denial-of-Service Attacks Using Range 7379 Unconstrained multiple range requests are susceptible to denial-of- 7380 service attacks because the effort required to request many 7381 overlapping ranges of the same data is tiny compared to the time, 7382 memory, and bandwidth consumed by attempting to serve the requested 7383 data in many parts. Servers ought to ignore, coalesce, or reject 7384 egregious range requests, such as requests for more than two 7385 overlapping ranges or for many small ranges in a single set, 7386 particularly when the ranges are requested out of order for no 7387 apparent reason. Multipart range requests are not designed to 7388 support random access. 7390 12.14. Authentication Considerations 7392 Everything about the topic of HTTP authentication is a security 7393 consideration, so the list of considerations below is not exhaustive. 7394 Furthermore, it is limited to security considerations regarding the 7395 authentication framework, in general, rather than discussing all of 7396 the potential considerations for specific authentication schemes 7397 (which ought to be documented in the specifications that define those 7398 schemes). Various organizations maintain topical information and 7399 links to current research on Web application security (e.g., 7400 [OWASP]), including common pitfalls for implementing and using the 7401 authentication schemes found in practice. 7403 12.14.1. Confidentiality of Credentials 7405 The HTTP authentication framework does not define a single mechanism 7406 for maintaining the confidentiality of credentials; instead, each 7407 authentication scheme defines how the credentials are encoded prior 7408 to transmission. While this provides flexibility for the development 7409 of future authentication schemes, it is inadequate for the protection 7410 of existing schemes that provide no confidentiality on their own, or 7411 that do not sufficiently protect against replay attacks. 7412 Furthermore, if the server expects credentials that are specific to 7413 each individual user, the exchange of those credentials will have the 7414 effect of identifying that user even if the content within 7415 credentials remains confidential. 7417 HTTP depends on the security properties of the underlying transport- 7418 or session-level connection to provide confidential transmission of 7419 header fields. In other words, if a server limits access to 7420 authenticated users using this framework, the server needs to ensure 7421 that the connection is properly secured in accordance with the nature 7422 of the authentication scheme used. For example, services that depend 7423 on individual user authentication often require a connection to be 7424 secured with TLS ("Transport Layer Security", [RFC5246]) prior to 7425 exchanging any credentials. 7427 12.14.2. Credentials and Idle Clients 7429 Existing HTTP clients and user agents typically retain authentication 7430 information indefinitely. HTTP does not provide a mechanism for the 7431 origin server to direct clients to discard these cached credentials, 7432 since the protocol has no awareness of how credentials are obtained 7433 or managed by the user agent. The mechanisms for expiring or 7434 revoking credentials can be specified as part of an authentication 7435 scheme definition. 7437 Circumstances under which credential caching can interfere with the 7438 application's security model include but are not limited to: 7440 o Clients that have been idle for an extended period, following 7441 which the server might wish to cause the client to re-prompt the 7442 user for credentials. 7444 o Applications that include a session termination indication (such 7445 as a "logout" or "commit" button on a page) after which the server 7446 side of the application "knows" that there is no further reason 7447 for the client to retain the credentials. 7449 User agents that cache credentials are encouraged to provide a 7450 readily accessible mechanism for discarding cached credentials under 7451 user control. 7453 12.14.3. Protection Spaces 7455 Authentication schemes that solely rely on the "realm" mechanism for 7456 establishing a protection space will expose credentials to all 7457 resources on an origin server. Clients that have successfully made 7458 authenticated requests with a resource can use the same 7459 authentication credentials for other resources on the same origin 7460 server. This makes it possible for a different resource to harvest 7461 authentication credentials for other resources. 7463 This is of particular concern when an origin server hosts resources 7464 for multiple parties under the same canonical root URI 7465 (Section 8.5.2). Possible mitigation strategies include restricting 7466 direct access to authentication credentials (i.e., not making the 7467 content of the Authorization request header field available), and 7468 separating protection spaces by using a different host name (or port 7469 number) for each party. 7471 12.14.4. Additional Response Header Fields 7473 Adding information to responses that are sent over an unencrypted 7474 channel can affect security and privacy. The presence of the 7475 Authentication-Info and Proxy-Authentication-Info header fields alone 7476 indicates that HTTP authentication is in use. Additional information 7477 could be exposed by the contents of the authentication-scheme 7478 specific parameters; this will have to be considered in the 7479 definitions of these schemes. 7481 13. IANA Considerations 7483 The change controller for the following registrations is: "IETF 7484 (iesg@ietf.org) - Internet Engineering Task Force". 7486 13.1. URI Scheme Registration 7488 Please update the registry of URI Schemes [BCP35] at 7489 with the permanent 7490 schemes listed in the first table of Section 2.5. 7492 13.2. Method Registration 7494 Please update the "Hypertext Transfer Protocol (HTTP) Method 7495 Registry" at with the 7496 registration procedure of Section 7.4.1 and the method names 7497 summarized in the table of Section 7.2. 7499 13.3. Status Code Registration 7501 Please update the "Hypertext Transfer Protocol (HTTP) Status Code 7502 Registry" at 7503 with the registration procedure of Section 9.7.1 and the status code 7504 values summarized in the table of Section 9.1. 7506 Additionally, please update the following entry in the Hypertext 7507 Transfer Protocol (HTTP) Status Code Registry: 7509 Value: 418 7511 Description: (Unused) 7513 Reference Section 9.5.19 7515 13.4. Header Field Registration 7517 Please create a new registry as outlined in Section 4.1.1. 7519 After creating the registry, all entries in the Permanent and 7520 Provisional Message Header Registries with the protocol 'http' are to 7521 be moved to it, with the following changes applied: 7523 1. The 'Applicable Protocol' field is to be omitted. 7525 2. Entries with a status of 'standard', 'experimental', or 7526 'informational' are to have a status of 'permanent'. 7528 3. Entries with a status of 'deprecated' are to have a status of 7529 'obsoleted'. 7531 4. Provisional entries without a status are to have a status of 7532 'provisional'. 7534 5. Permanent entries without a status (after confirmation that the 7535 registration document did not define one) will have a status of 7536 'provisional'. The Expert(s) can choose to update their status 7537 if there is evidence that another is more appropriate. 7539 Please annotate the Permanent and Provisional Message Header 7540 registries to indicate that HTTP header field registrations have 7541 moved, with an appropriate link. 7543 After that is complete, please update the new registry with the 7544 header field names listed in the table of Section 4.1. 7546 Finally, please update the "Content-MD5" entry in the new registry to 7547 have a status of 'obsoleted' with references to Section 14.15 of 7548 [RFC2616] (for the definition of the header field) and Appendix B of 7549 [RFC7231] (which removed the field definition from the updated 7550 specification). 7552 13.5. Authentication Scheme Registration 7554 Please update the "Hypertext Transfer Protocol (HTTP) Authentication 7555 Scheme Registry" at with the registration procedure of Section 8.5.5.1. No 7557 authentication schemes are defined in this document. 7559 13.6. Content Coding Registration 7561 Please update the "HTTP Content Coding Registry" at 7562 with the 7563 registration procedure of Section 6.1.2.4.1 and the content coding 7564 names summarized in the table of Section 6.1.2. 7566 13.7. Range Unit Registration 7568 Please update the "HTTP Range Unit Registry" at 7569 with the 7570 registration procedure of Section 6.1.4.3 and the range unit names 7571 summarized in the table of Section 6.1.4. 7573 13.8. Media Type Registration 7575 Please update the "Media Types" registry at 7576 with the registration 7577 information in Section 6.3.4 for the media type "multipart/ 7578 byteranges". 7580 14. References 7582 14.1. Normative References 7584 [Caching] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 7585 Ed., "HTTP Caching", draft-ietf-httpbis-cache-04 (work in 7586 progress), March 2019. 7588 [Messaging] 7589 Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 7590 Ed., "HTTP/1.1 Messaging", draft-ietf-httpbis-messaging-04 7591 (work in progress), March 2019. 7593 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 7594 RFC 793, DOI 10.17487/RFC0793, September 1981, 7595 . 7597 [RFC1950] Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data Format 7598 Specification version 3.3", RFC 1950, 7599 DOI 10.17487/RFC1950, May 1996, 7600 . 7602 [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification 7603 version 1.3", RFC 1951, DOI 10.17487/RFC1951, May 1996, 7604 . 7606 [RFC1952] Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and G. 7607 Randers-Pehrson, "GZIP file format specification version 7608 4.3", RFC 1952, DOI 10.17487/RFC1952, May 1996, 7609 . 7611 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 7612 Extensions (MIME) Part One: Format of Internet Message 7613 Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, 7614 . 7616 [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 7617 Extensions (MIME) Part Two: Media Types", RFC 2046, 7618 DOI 10.17487/RFC2046, November 1996, 7619 . 7621 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 7622 Requirement Levels", BCP 14, RFC 2119, 7623 DOI 10.17487/RFC2119, March 1997, 7624 . 7626 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 7627 Resource Identifier (URI): Generic Syntax", STD 66, 7628 RFC 3986, DOI 10.17487/RFC3986, January 2005, 7629 . 7631 [RFC4647] Phillips, A., Ed. and M. Davis, Ed., "Matching of Language 7632 Tags", BCP 47, RFC 4647, DOI 10.17487/RFC4647, September 7633 2006, . 7635 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 7636 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 7637 . 7639 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 7640 Specifications: ABNF", STD 68, RFC 5234, 7641 DOI 10.17487/RFC5234, January 2008, 7642 . 7644 [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying 7645 Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, 7646 September 2009, . 7648 [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in 7649 Internationalization in the IETF", BCP 166, RFC 6365, 7650 DOI 10.17487/RFC6365, September 2011, 7651 . 7653 [RFC7405] Kyzivat, P., "Case-Sensitive String Support in ABNF", 7654 RFC 7405, DOI 10.17487/RFC7405, December 2014, 7655 . 7657 [USASCII] American National Standards Institute, "Coded Character 7658 Set -- 7-bit American Standard Code for Information 7659 Interchange", ANSI X3.4, 1986. 7661 [Welch] Welch, T., "A Technique for High-Performance Data 7662 Compression", IEEE Computer 17(6), 7663 DOI 10.1109/MC.1984.1659158, June 1984, 7664 . 7666 14.2. Informative References 7668 [BCP13] Freed, N., Klensin, J., and T. Hansen, "Media Type 7669 Specifications and Registration Procedures", BCP 13, 7670 RFC 6838, January 2013, 7671 . 7673 [BCP178] Saint-Andre, P., Crocker, D., and M. Nottingham, 7674 "Deprecating the "X-" Prefix and Similar Constructs in 7675 Application Protocols", BCP 178, RFC 6648, June 2012, 7676 . 7678 [BCP35] Thaler, D., Ed., Hansen, T., and T. Hardie, "Guidelines 7679 and Registration Procedures for URI Schemes", BCP 35, 7680 RFC 7595, June 2015, 7681 . 7683 [BCP90] Klyne, G., Nottingham, M., and J. Mogul, "Registration 7684 Procedures for Message Header Fields", BCP 90, RFC 3864, 7685 September 2004, . 7687 [Err1912] RFC Errata, Erratum ID 1912, RFC 2978, 7688 . 7690 [Err5433] RFC Errata, Erratum ID 5433, RFC 2978, 7691 . 7693 [Georgiev] 7694 Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, 7695 D., and V. Shmatikov, "The Most Dangerous Code in the 7696 World: Validating SSL Certificates in Non-browser 7697 Software", In Proceedings of the 2012 ACM Conference on 7698 Computer and Communications Security (CCS '12), pp. 38-49, 7699 October 2012, 7700 . 7702 [ISO-8859-1] 7703 International Organization for Standardization, 7704 "Information technology -- 8-bit single-byte coded graphic 7705 character sets -- Part 1: Latin alphabet No. 1", ISO/ 7706 IEC 8859-1:1998, 1998. 7708 [Kri2001] Kristol, D., "HTTP Cookies: Standards, Privacy, and 7709 Politics", ACM Transactions on Internet Technology 1(2), 7710 November 2001, . 7712 [OWASP] van der Stock, A., Ed., "A Guide to Building Secure Web 7713 Applications and Web Services", The Open Web Application 7714 Security Project (OWASP) 2.0.1, July 2005, 7715 . 7717 [REST] Fielding, R., "Architectural Styles and the Design of 7718 Network-based Software Architectures", 7719 Doctoral Dissertation, University of California, Irvine, 7720 September 2000, 7721 . 7723 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 7724 RFC 1919, DOI 10.17487/RFC1919, March 1996, 7725 . 7727 [RFC1945] Berners-Lee, T., Fielding, R., and H. Nielsen, "Hypertext 7728 Transfer Protocol -- HTTP/1.0", RFC 1945, 7729 DOI 10.17487/RFC1945, May 1996, 7730 . 7732 [RFC2047] Moore, K., "MIME (Multipurpose Internet Mail Extensions) 7733 Part Three: Message Header Extensions for Non-ASCII Text", 7734 RFC 2047, DOI 10.17487/RFC2047, November 1996, 7735 . 7737 [RFC2068] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T. 7738 Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", 7739 RFC 2068, DOI 10.17487/RFC2068, January 1997, 7740 . 7742 [RFC2145] Mogul, J., Fielding, R., Gettys, J., and H. Nielsen, "Use 7743 and Interpretation of HTTP Version Numbers", RFC 2145, 7744 DOI 10.17487/RFC2145, May 1997, 7745 . 7747 [RFC2295] Holtman, K. and A. Mutz, "Transparent Content Negotiation 7748 in HTTP", RFC 2295, DOI 10.17487/RFC2295, March 1998, 7749 . 7751 [RFC2324] Masinter, L., "Hyper Text Coffee Pot Control Protocol 7752 (HTCPCP/1.0)", RFC 2324, DOI 10.17487/RFC2324, April 1998, 7753 . 7755 [RFC2557] Palme, F., Hopmann, A., Shelness, N., and E. Stefferud, 7756 "MIME Encapsulation of Aggregate Documents, such as HTML 7757 (MHTML)", RFC 2557, DOI 10.17487/RFC2557, March 1999, 7758 . 7760 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 7761 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 7762 Transfer Protocol -- HTTP/1.1", RFC 2616, 7763 DOI 10.17487/RFC2616, June 1999, 7764 . 7766 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., 7767 Leach, P., Luotonen, A., and L. Stewart, "HTTP 7768 Authentication: Basic and Digest Access Authentication", 7769 RFC 2617, DOI 10.17487/RFC2617, June 1999, 7770 . 7772 [RFC2774] Frystyk, H., Leach, P., and S. Lawrence, "An HTTP 7773 Extension Framework", RFC 2774, DOI 10.17487/RFC2774, 7774 February 2000, . 7776 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 7777 DOI 10.17487/RFC2818, May 2000, 7778 . 7780 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 7781 Procedures", BCP 19, RFC 2978, DOI 10.17487/RFC2978, 7782 October 2000, . 7784 [RFC3040] Cooper, I., Melve, I., and G. Tomlinson, "Internet Web 7785 Replication and Caching Taxonomy", RFC 3040, 7786 DOI 10.17487/RFC3040, January 2001, 7787 . 7789 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 7790 Rose, "DNS Security Introduction and Requirements", 7791 RFC 4033, DOI 10.17487/RFC4033, March 2005, 7792 . 7794 [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based 7795 Kerberos and NTLM HTTP Authentication in Microsoft 7796 Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006, 7797 . 7799 [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed 7800 Authoring and Versioning (WebDAV)", RFC 4918, 7801 DOI 10.17487/RFC4918, June 2007, 7802 . 7804 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 7805 (TLS) Protocol Version 1.2", RFC 5246, 7806 DOI 10.17487/RFC5246, August 2008, 7807 . 7809 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, 7810 DOI 10.17487/RFC5322, October 2008, 7811 . 7813 [RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", 7814 RFC 5789, DOI 10.17487/RFC5789, March 2010, 7815 . 7817 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 7818 "Network Time Protocol Version 4: Protocol and Algorithms 7819 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 7820 . 7822 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 7823 DOI 10.17487/RFC6265, April 2011, 7824 . 7826 [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status 7827 Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, 7828 . 7830 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7831 Protocol (HTTP/1.1): Message Syntax and Routing", 7832 RFC 7230, DOI 10.17487/RFC7230, June 2014, 7833 . 7835 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7836 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 7837 DOI 10.17487/RFC7231, June 2014, 7838 . 7840 [RFC7232] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7841 Protocol (HTTP/1.1): Conditional Requests", RFC 7232, 7842 DOI 10.17487/RFC7232, June 2014, 7843 . 7845 [RFC7233] Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed., 7846 "Hypertext Transfer Protocol (HTTP): Range Requests", 7847 RFC 7233, DOI 10.17487/RFC7233, June 2014, 7848 . 7850 [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7851 Protocol (HTTP/1.1): Authentication", RFC 7235, 7852 DOI 10.17487/RFC7235, June 2014, 7853 . 7855 [RFC7538] Reschke, J., "The Hypertext Transfer Protocol Status Code 7856 308 (Permanent Redirect)", RFC 7538, DOI 10.17487/RFC7538, 7857 April 2015, . 7859 [RFC7578] Masinter, L., "Returning Values from Forms: multipart/ 7860 form-data", RFC 7578, DOI 10.17487/RFC7578, July 2015, 7861 . 7863 [RFC7615] Reschke, J., "HTTP Authentication-Info and Proxy- 7864 Authentication-Info Response Header Fields", RFC 7615, 7865 DOI 10.17487/RFC7615, September 2015, 7866 . 7868 [RFC7616] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP 7869 Digest Access Authentication", RFC 7616, 7870 DOI 10.17487/RFC7616, September 2015, 7871 . 7873 [RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme", 7874 RFC 7617, DOI 10.17487/RFC7617, September 2015, 7875 . 7877 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 7878 Writing an IANA Considerations Section in RFCs", BCP 26, 7879 RFC 8126, DOI 10.17487/RFC8126, June 2017, 7880 . 7882 [RFC8187] Reschke, J., "Indicating Character Encoding and Language 7883 for HTTP Header Field Parameters", RFC 8187, 7884 DOI 10.17487/RFC8187, September 2017, 7885 . 7887 [RFC8246] McManus, P., "HTTP Immutable Responses", RFC 8246, 7888 DOI 10.17487/RFC8246, September 2017, 7889 . 7891 [RFC8288] Nottingham, M., "Web Linking", RFC 8288, 7892 DOI 10.17487/RFC8288, October 2017, 7893 . 7895 Appendix A. Collected ABNF 7897 In the collected ABNF below, list rules are expanded as per 7898 Section 11. 7900 Accept = [ ( "," / ( media-range [ accept-params ] ) ) *( OWS "," [ 7901 OWS ( media-range [ accept-params ] ) ] ) ] 7902 Accept-Charset = *( "," OWS ) ( ( charset / "*" ) [ weight ] ) *( OWS 7903 "," [ OWS ( ( charset / "*" ) [ weight ] ) ] ) 7904 Accept-Encoding = [ ( "," / ( codings [ weight ] ) ) *( OWS "," [ OWS 7905 ( codings [ weight ] ) ] ) ] 7906 Accept-Language = *( "," OWS ) ( language-range [ weight ] ) *( OWS 7907 "," [ OWS ( language-range [ weight ] ) ] ) 7908 Accept-Ranges = acceptable-ranges 7909 Allow = [ ( "," / method ) *( OWS "," [ OWS method ] ) ] 7910 Authentication-Info = [ ( "," / auth-param ) *( OWS "," [ OWS 7911 auth-param ] ) ] 7912 Authorization = credentials 7914 BWS = OWS 7916 Content-Encoding = *( "," OWS ) content-coding *( OWS "," [ OWS 7917 content-coding ] ) 7918 Content-Language = *( "," OWS ) language-tag *( OWS "," [ OWS 7919 language-tag ] ) 7920 Content-Length = 1*DIGIT 7921 Content-Location = absolute-URI / partial-URI 7922 Content-Range = byte-content-range / other-content-range 7923 Content-Type = media-type 7925 Date = HTTP-date 7927 ETag = entity-tag 7928 Expect = "100-continue" 7930 From = mailbox 7932 GMT = %x47.4D.54 ; GMT 7934 HTTP-date = IMF-fixdate / obs-date 7935 Host = uri-host [ ":" port ] 7937 IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT 7938 If-Match = "*" / ( *( "," OWS ) entity-tag *( OWS "," [ OWS 7939 entity-tag ] ) ) 7940 If-Modified-Since = HTTP-date 7941 If-None-Match = "*" / ( *( "," OWS ) entity-tag *( OWS "," [ OWS 7942 entity-tag ] ) ) 7944 If-Range = entity-tag / HTTP-date 7945 If-Unmodified-Since = HTTP-date 7947 Last-Modified = HTTP-date 7948 Location = URI-reference 7950 Max-Forwards = 1*DIGIT 7952 OWS = *( SP / HTAB ) 7954 Proxy-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS 7955 challenge ] ) 7956 Proxy-Authentication-Info = [ ( "," / auth-param ) *( OWS "," [ OWS 7957 auth-param ] ) ] 7958 Proxy-Authorization = credentials 7960 RWS = 1*( SP / HTAB ) 7961 Range = byte-ranges-specifier / other-ranges-specifier 7962 Referer = absolute-URI / partial-URI 7963 Retry-After = HTTP-date / delay-seconds 7965 Server = product *( RWS ( product / comment ) ) 7967 Trailer = *( "," OWS ) field-name *( OWS "," [ OWS field-name ] ) 7969 URI-reference = 7970 User-Agent = product *( RWS ( product / comment ) ) 7972 Vary = "*" / ( *( "," OWS ) field-name *( OWS "," [ OWS field-name ] 7973 ) ) 7974 Via = *( "," OWS ) ( received-protocol RWS received-by [ RWS comment 7975 ] ) *( OWS "," [ OWS ( received-protocol RWS received-by [ RWS 7976 comment ] ) ] ) 7978 WWW-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS challenge 7979 ] ) 7981 absolute-URI = 7982 absolute-path = 1*( "/" segment ) 7983 accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] 7984 accept-params = weight *accept-ext 7985 acceptable-ranges = ( *( "," OWS ) range-unit *( OWS "," [ OWS 7986 range-unit ] ) ) / "none" 7987 asctime-date = day-name SP date3 SP time-of-day SP year 7988 auth-param = token BWS "=" BWS ( token / quoted-string ) 7989 auth-scheme = token 7990 authority = 7991 byte-content-range = bytes-unit SP ( byte-range-resp / 7992 unsatisfied-range ) 7993 byte-range = first-byte-pos "-" last-byte-pos 7994 byte-range-resp = byte-range "/" ( complete-length / "*" ) 7995 byte-range-set = *( "," OWS ) ( byte-range-spec / 7996 suffix-byte-range-spec ) *( OWS "," [ OWS ( byte-range-spec / 7997 suffix-byte-range-spec ) ] ) 7998 byte-range-spec = first-byte-pos "-" [ last-byte-pos ] 7999 byte-ranges-specifier = bytes-unit "=" byte-range-set 8000 bytes-unit = "bytes" 8002 challenge = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) *( 8003 OWS "," [ OWS auth-param ] ) ] ) ] 8004 charset = token 8005 codings = content-coding / "identity" / "*" 8006 comment = "(" *( ctext / quoted-pair / comment ) ")" 8007 complete-length = 1*DIGIT 8008 content-coding = token 8009 credentials = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) 8010 *( OWS "," [ OWS auth-param ] ) ] ) ] 8011 ctext = HTAB / SP / %x21-27 ; '!'-''' 8012 / %x2A-5B ; '*'-'[' 8013 / %x5D-7E ; ']'-'~' 8014 / obs-text 8016 date1 = day SP month SP year 8017 date2 = day "-" month "-" 2DIGIT 8018 date3 = month SP ( 2DIGIT / ( SP DIGIT ) ) 8019 day = 2DIGIT 8020 day-name = %x4D.6F.6E ; Mon 8021 / %x54.75.65 ; Tue 8022 / %x57.65.64 ; Wed 8023 / %x54.68.75 ; Thu 8024 / %x46.72.69 ; Fri 8025 / %x53.61.74 ; Sat 8026 / %x53.75.6E ; Sun 8027 day-name-l = %x4D.6F.6E.64.61.79 ; Monday 8028 / %x54.75.65.73.64.61.79 ; Tuesday 8029 / %x57.65.64.6E.65.73.64.61.79 ; Wednesday 8030 / %x54.68.75.72.73.64.61.79 ; Thursday 8031 / %x46.72.69.64.61.79 ; Friday 8032 / %x53.61.74.75.72.64.61.79 ; Saturday 8033 / %x53.75.6E.64.61.79 ; Sunday 8034 delay-seconds = 1*DIGIT 8036 entity-tag = [ weak ] opaque-tag 8037 etagc = "!" / %x23-7E ; '#'-'~' 8038 / obs-text 8040 field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] 8041 field-name = token 8042 field-value = *( field-content / obs-fold ) 8043 field-vchar = VCHAR / obs-text 8044 first-byte-pos = 1*DIGIT 8046 hour = 2DIGIT 8047 http-URI = "http://" authority path-abempty [ "?" query ] 8048 https-URI = "https://" authority path-abempty [ "?" query ] 8050 language-range = 8051 language-tag = 8052 last-byte-pos = 1*DIGIT 8054 mailbox = 8055 media-range = ( "*/*" / ( type "/*" ) / ( type "/" subtype ) ) *( OWS 8056 ";" OWS parameter ) 8057 media-type = type "/" subtype *( OWS ";" OWS parameter ) 8058 method = token 8059 minute = 2DIGIT 8060 month = %x4A.61.6E ; Jan 8061 / %x46.65.62 ; Feb 8062 / %x4D.61.72 ; Mar 8063 / %x41.70.72 ; Apr 8064 / %x4D.61.79 ; May 8065 / %x4A.75.6E ; Jun 8066 / %x4A.75.6C ; Jul 8067 / %x41.75.67 ; Aug 8068 / %x53.65.70 ; Sep 8069 / %x4F.63.74 ; Oct 8070 / %x4E.6F.76 ; Nov 8071 / %x44.65.63 ; Dec 8073 obs-date = rfc850-date / asctime-date 8074 obs-fold = 8075 obs-text = %x80-FF 8076 opaque-tag = DQUOTE *etagc DQUOTE 8077 other-content-range = other-range-unit SP other-range-resp 8078 other-range-resp = *VCHAR 8079 other-range-set = 1*VCHAR 8080 other-range-unit = token 8081 other-ranges-specifier = other-range-unit "=" other-range-set 8083 parameter = token "=" ( token / quoted-string ) 8084 partial-URI = relative-part [ "?" query ] 8085 path-abempty = 8086 port = 8087 product = token [ "/" product-version ] 8088 product-version = token 8089 protocol-name = 8090 protocol-version = 8091 pseudonym = token 8093 qdtext = HTAB / SP / "!" / %x23-5B ; '#'-'[' 8094 / %x5D-7E ; ']'-'~' 8095 / obs-text 8096 query = 8097 quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) 8098 quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE 8099 qvalue = ( "0" [ "." *3DIGIT ] ) / ( "1" [ "." *3"0" ] ) 8101 range-unit = bytes-unit / other-range-unit 8102 received-by = ( uri-host [ ":" port ] ) / pseudonym 8103 received-protocol = [ protocol-name "/" ] protocol-version 8104 relative-part = 8105 request-target = 8106 rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT 8108 second = 2DIGIT 8109 segment = 8110 subtype = token 8111 suffix-byte-range-spec = "-" suffix-length 8112 suffix-length = 1*DIGIT 8114 tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / 8115 "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA 8116 time-of-day = hour ":" minute ":" second 8117 token = 1*tchar 8118 token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) 8119 *"=" 8120 type = token 8122 unsatisfied-range = "*/" complete-length 8123 uri-host = 8125 weak = %x57.2F ; W/ 8126 weight = OWS ";" OWS "q=" qvalue 8128 year = 4DIGIT 8130 Appendix B. Changes from RFC 7230 8132 Most of the sections introducing HTTP's design goals, history, 8133 architecture, conformance criteria, protocol versioning, URIs, 8134 message routing, and header field values have been moved here 8135 (without substantive change). 8137 Furthermore: 8139 Add status code 308 (previously defined in [RFC7538]) so that it's 8140 defined closer to status codes 301, 302, and 307. (Section 9.4.9) 8142 Add status code 422 (previously defined in Section 11.2 of [RFC4918]) 8143 because of it's general applicability. (Section 9.5.20) 8145 Appendix C. Changes from RFC 7231 8147 None yet. 8149 Appendix D. Changes from RFC 7232 8151 None yet. 8153 Appendix E. Changes from RFC 7233 8155 None yet. 8157 Appendix F. Changes from RFC 7235 8159 None yet. 8161 Appendix G. Changes from RFC 7538 8163 None yet. 8165 Appendix H. Changes from RFC 7615 8167 None yet. 8169 Appendix I. Change Log 8171 This section is to be removed before publishing as an RFC. 8173 I.1. Between RFC723x and draft 00 8175 The changes were purely editorial: 8177 o Change boilerplate and abstract to indicate the "draft" status, 8178 and update references to ancestor specifications. 8180 o Remove version "1.1" from document title, indicating that this 8181 specification applies to all HTTP versions. 8183 o Adjust historical notes. 8185 o Update links to sibling specifications. 8187 o Replace sections listing changes from RFC 2616 by new empty 8188 sections referring to RFC 723x. 8190 o Remove acknowledgements specific to RFC 723x. 8192 o Move "Acknowledgements" to the very end and make them unnumbered. 8194 I.2. Since draft-ietf-httpbis-semantics-00 8196 The changes in this draft are editorial, with respect to HTTP as a 8197 whole, to merge core HTTP semantics into this document: 8199 o Merged introduction, architecture, conformance, and ABNF 8200 extensions from RFC 7230 (Messaging). 8202 o Rearranged architecture to extract conformance, http(s) schemes, 8203 and protocol versioning into a separate major section. 8205 o Moved discussion of MIME differences to [Messaging] since that is 8206 primarily concerned with transforming 1.1 messages. 8208 o Merged entire content of RFC 7232 (Conditional Requests). 8210 o Merged entire content of RFC 7233 (Range Requests). 8212 o Merged entire content of RFC 7235 (Auth Framework). 8214 o Moved all extensibility tips, registration procedures, and 8215 registry tables from the IANA considerations to normative 8216 sections, reducing the IANA considerations to just instructions 8217 that will be removed prior to publication as an RFC. 8219 I.3. Since draft-ietf-httpbis-semantics-01 8221 o Improve [Welch] citation () 8224 o Remove HTTP/1.1-ism about Range Requests 8225 () 8227 o Cite RFC 8126 instead of RFC 5226 () 8230 o Cite RFC 7538 instead of RFC 7238 () 8233 o Cite RFC 8288 instead of RFC 5988 () 8236 o Cite RFC 8187 instead of RFC 5987 () 8239 o Cite RFC 7578 instead of RFC 2388 () 8242 o Cite RFC 7595 instead of RFC 4395 () 8245 o improve ABNF readability for qdtext (, ) 8248 o Clarify "resource" vs "representation" in definition of status 8249 code 416 (, 8250 ) 8252 o Resolved erratum 4072, no change needed here 8253 (, 8254 ) 8256 o Clarify DELETE status code suggestions 8257 (, 8258 ) 8260 o In Section 6.3.3, fix ABNF for "other-range-resp" to use VCHAR 8261 instead of CHAR (, 8262 ) 8264 o Resolved erratum 5162, no change needed here 8265 (, 8266 ) 8268 o Replace "response code" with "response status code" and "status- 8269 code" (the ABNF production name from the HTTP/1.1 message format) 8270 by "status code" (, 8271 ) 8273 o Added a missing word in Section 9.4 (, ) 8276 o In Section 11, fixed an example that had trailing whitespace where 8277 it shouldn't (, 8278 ) 8280 o In Section 9.3.7, remove words that were potentially misleading 8281 with respect to the relation to the requested ranges 8282 (, 8283 ) 8285 I.4. Since draft-ietf-httpbis-semantics-02 8287 o Included (Proxy-)Auth-Info header field definition from RFC 7615 8288 () 8290 o In Section 7.3.3, clarify POST caching 8291 () 8293 o Add Section 9.5.19 to reserve the 418 status code 8294 () 8296 o In Section 2.1 and Section 8.1.1, clarified when a response can be 8297 sent () 8299 o In Section 6.1.1.1, explain the difference between the "token" 8300 production, the RFC 2978 ABNF for charset names, and the actual 8301 registration practice (, ) 8304 o In Section 2.5, removed the fragment component in the URI scheme 8305 definitions as per Section 4.3 of [RFC3986], furthermore moved 8306 fragment discussion into a separate section 8307 (, 8308 , ) 8311 o In Section 3.5, add language about minor HTTP version number 8312 defaulting () 8314 o Added Section 9.5.20 for status code 422, previously defined in 8315 Section 11.2 of [RFC4918] () 8318 o In Section 9.5.17, fixed prose about byte range comparison 8319 (, 8320 ) 8322 o In Section 2.1, explain that request/response correlation is 8323 version specific () 8326 I.5. Since draft-ietf-httpbis-semantics-03 8328 o In Section 9.4.9, include status code 308 from RFC 7538 8329 () 8331 o In Section 6.1.1, clarify that the charset parameter value is 8332 case-insensitive due to the definition in RFC 2046 8333 () 8335 o Define a separate registry for HTTP header field names 8336 () 8338 o In Section 8.4, refactor and clarify description of wildcard ("*") 8339 handling () 8341 o Deprecate Accept-Charset () 8344 o In Section 8.2.1, mention Cache-Control: immutable 8345 () 8347 o In Section 4.2.1, clarify when header field combination is allowed 8348 () 8350 o In Section 13.4, instruct IANA to mark Content-MD5 as obsolete 8351 () 8353 o Use RFC 7405 ABNF notation for case-sensitive string constants 8354 () 8356 o Rework Section 2.1 to be more version-independent 8357 () 8359 o In Section 7.3.5, clarify that DELETE needs to be successful to 8360 invalidate cache (, ) 8363 Index 8365 1 8366 100 Continue (status code) 108 8367 100-continue (expect value) 76 8368 101 Switching Protocols (status code) 109 8369 1xx Informational (status code class) 108 8371 2 8372 200 OK (status code) 109 8373 201 Created (status code) 110 8374 202 Accepted (status code) 110 8375 203 Non-Authoritative Information (status code) 111 8376 204 No Content (status code) 111 8377 205 Reset Content (status code) 112 8378 206 Partial Content (status code) 112 8379 2xx Successful (status code class) 109 8381 3 8382 300 Multiple Choices (status code) 117 8383 301 Moved Permanently (status code) 118 8384 302 Found (status code) 118 8385 303 See Other (status code) 119 8386 304 Not Modified (status code) 119 8387 305 Use Proxy (status code) 120 8388 306 (Unused) (status code) 120 8389 307 Temporary Redirect (status code) 120 8390 308 Permanent Redirect (status code) 121 8391 3xx Redirection (status code class) 115 8393 4 8394 400 Bad Request (status code) 121 8395 401 Unauthorized (status code) 121 8396 402 Payment Required (status code) 122 8397 403 Forbidden (status code) 122 8398 404 Not Found (status code) 122 8399 405 Method Not Allowed (status code) 123 8400 406 Not Acceptable (status code) 123 8401 407 Proxy Authentication Required (status code) 123 8402 408 Request Timeout (status code) 123 8403 409 Conflict (status code) 124 8404 410 Gone (status code) 124 8405 411 Length Required (status code) 124 8406 412 Precondition Failed (status code) 125 8407 413 Payload Too Large (status code) 125 8408 414 URI Too Long (status code) 125 8409 415 Unsupported Media Type (status code) 125 8410 416 Range Not Satisfiable (status code) 126 8411 417 Expectation Failed (status code) 126 8412 418 (Unused) (status code) 126 8413 422 Unprocessable Entity (status code) 127 8414 426 Upgrade Required (status code) 127 8415 4xx Client Error (status code class) 121 8417 5 8418 500 Internal Server Error (status code) 128 8419 501 Not Implemented (status code) 128 8420 502 Bad Gateway (status code) 128 8421 503 Service Unavailable (status code) 128 8422 504 Gateway Timeout (status code) 128 8423 505 HTTP Version Not Supported (status code) 128 8424 5xx Server Error (status code class) 127 8426 A 8427 Accept header field 92 8428 Accept-Charset header field 94 8429 Accept-Encoding header field 95 8430 Accept-Language header field 96 8431 Accept-Ranges header field 149 8432 Allow header field 149 8433 Authentication-Info header field 147 8434 Authorization header field 100 8435 accelerator 12 8436 authoritative response 152 8438 B 8439 browser 10 8441 C 8442 CONNECT method 71 8443 Canonical Root URI 99 8444 Content-Encoding header field 48 8445 Content-Language header field 49 8446 Content-Length header field 50 8447 Content-Location header field 51 8448 Content-MD5 header field 162 8449 Content-Range header field 55 8450 Content-Type header field 47 8451 cache 14 8452 cacheable 14, 64 8453 captive portal 13 8454 client 10 8455 compress (Coding Format) 42 8456 compress (content coding) 41 8457 conditional request 79 8458 connection 10 8459 content coding 41 8460 content negotiation 8 8462 D 8463 DELETE method 70 8464 Date header field 133 8465 Delimiters 29 8466 deflate (Coding Format) 42 8467 deflate (content coding) 41 8468 downstream 12 8470 E 8471 ETag header field 141 8472 Expect header field 76 8473 effective request URI 33 8475 F 8476 Fragment Identifiers 18 8477 From header field 103 8479 G 8480 GET method 65 8481 Grammar 8482 absolute-path 15 8483 absolute-URI 15 8484 Accept 92 8485 Accept-Charset 94 8486 Accept-Encoding 95 8487 accept-ext 92 8488 Accept-Language 96 8489 accept-params 92 8490 Accept-Ranges 149 8491 acceptable-ranges 149 8492 Allow 149 8493 ALPHA 9 8494 asctime-date 132 8495 auth-param 98 8496 auth-scheme 98 8497 Authentication-Info 147 8498 authority 15 8499 Authorization 100 8500 BWS 31 8501 byte-content-range 55 8502 byte-range 55 8503 byte-range-resp 55 8504 byte-range-set 44 8505 byte-range-spec 44 8506 byte-ranges-specifier 44 8507 bytes-unit 44 8508 challenge 98 8509 charset 40 8510 codings 95 8511 comment 30 8512 complete-length 55 8513 content-coding 41 8514 Content-Encoding 48 8515 Content-Language 49 8516 Content-Length 50 8517 Content-Location 51 8518 Content-Range 55 8519 Content-Type 47 8520 CR 9 8521 credentials 99 8522 CRLF 9 8523 ctext 30 8524 CTL 9 8525 Date 133 8526 date1 132 8527 day 132 8528 day-name 132 8529 day-name-l 132 8530 delay-seconds 135 8531 DIGIT 9 8532 DQUOTE 9 8533 entity-tag 142 8534 ETag 142 8535 etagc 142 8536 Expect 76 8537 field-content 28 8538 field-name 23, 31 8539 field-value 28 8540 field-vchar 28 8541 first-byte-pos 44 8542 From 103 8543 GMT 132 8544 HEXDIG 9 8545 Host 34 8546 hour 132 8547 HTAB 9 8548 HTTP-date 131 8549 http-URI 16 8550 https-URI 17 8551 If-Match 83 8552 If-Modified-Since 85 8553 If-None-Match 84 8554 If-Range 88 8555 If-Unmodified-Since 86 8556 IMF-fixdate 132 8557 language-range 96 8558 language-tag 43 8559 last-byte-pos 44 8560 Last-Modified 139 8561 LF 9 8562 Location 134 8563 Max-Forwards 78 8564 media-range 92 8565 media-type 39 8566 method 61 8567 minute 132 8568 month 132 8569 obs-date 132 8570 obs-text 29 8571 OCTET 9 8572 opaque-tag 142 8573 other-content-range 55 8574 other-range-resp 55 8575 other-range-unit 44, 46 8576 OWS 31 8577 parameter 39 8578 partial-URI 15 8579 port 15 8580 product 105 8581 product-version 105 8582 protocol-name 35 8583 protocol-version 35 8584 Proxy-Authenticate 147 8585 Proxy-Authentication-Info 148 8586 Proxy-Authorization 100 8587 pseudonym 35 8588 qdtext 29 8589 query 15 8590 quoted-pair 30 8591 quoted-string 29 8592 qvalue 92 8593 Range 89 8594 range-unit 44 8595 ranges-specifier 44 8596 received-by 35 8597 received-protocol 35 8598 Referer 104 8599 Retry-After 135 8600 rfc850-date 132 8601 RWS 31 8602 second 132 8603 segment 15 8604 Server 150 8605 SP 9 8606 subtype 39 8607 suffix-byte-range-spec 45 8608 suffix-length 45 8609 tchar 29 8610 time-of-day 132 8611 token 29 8612 token68 98 8613 Trailer 31 8614 type 39 8615 unsatisfied-range 55 8616 uri-host 15 8617 URI-reference 15 8618 User-Agent 105 8619 Vary 136 8620 VCHAR 9 8621 Via 35 8622 weak 142 8623 weight 92 8624 WWW-Authenticate 146 8625 year 132 8626 gateway 12 8627 gzip (Coding Format) 42 8628 gzip (content coding) 41 8630 H 8631 HEAD method 66 8632 Host header field 33 8633 http URI scheme 16 8634 https URI scheme 17 8636 I 8637 If-Match header field 83 8638 If-Modified-Since header field 85 8639 If-None-Match header field 84 8640 If-Range header field 87 8641 If-Unmodified-Since header field 86 8642 idempotent 64 8643 inbound 12 8644 interception proxy 13 8645 intermediary 12 8647 L 8648 Last-Modified header field 139 8649 Location header field 134 8651 M 8652 Max-Forwards header field 78 8653 Media Type 8654 multipart/byteranges 57 8655 multipart/x-byteranges 57 8656 message 10 8657 metadata 137 8658 multipart/byteranges Media Type 57 8659 multipart/x-byteranges Media Type 57 8661 N 8662 non-transforming proxy 37 8664 O 8665 OPTIONS method 72 8666 origin server 10 8667 outbound 12 8669 P 8670 POST method 66 8671 PUT method 67 8672 Protection Space 99 8673 Proxy-Authenticate header field 147 8674 Proxy-Authentication-Info header field 148 8675 Proxy-Authorization header field 100 8676 payload 53 8677 phishing 152 8678 proxy 12 8680 R 8681 Range header field 89 8682 Realm 99 8683 Referer header field 104 8684 Retry-After header field 135 8685 recipient 10 8686 representation 38 8687 request 10 8688 resource 14 8689 response 10 8690 reverse proxy 12 8692 S 8693 Server header field 150 8694 Status Codes Classes 8695 1xx Informational 108 8696 2xx Successful 109 8697 3xx Redirection 115 8698 4xx Client Error 121 8699 5xx Server Error 127 8700 safe 63 8701 selected representation 38, 79, 137 8702 sender 10 8703 server 10 8704 spider 10 8706 T 8707 TRACE method 73 8708 Trailer header field 31 8709 target URI 32 8710 target resource 32 8711 transforming proxy 37 8712 transparent proxy 13 8713 tunnel 13 8715 U 8716 URI scheme 8717 http 16 8718 https 17 8719 User-Agent header field 105 8720 upstream 12 8721 user agent 10 8723 V 8724 Vary header field 136 8725 Via header field 35 8726 validator 137 8727 strong 138 8728 weak 138 8730 W 8731 WWW-Authenticate header field 146 8733 X 8734 x-compress (content coding) 41 8735 x-gzip (content coding) 41 8737 Acknowledgments 8739 This edition of the HTTP specification builds on the many 8740 contributions that went into RFC 1945, RFC 2068, RFC 2145, and RFC 8741 2616, including substantial contributions made by the previous 8742 authors, editors, and Working Group Chairs: Tim Berners-Lee, Ari 8743 Luotonen, Roy T. Fielding, Henrik Frystyk Nielsen, Jim Gettys, 8744 Jeffrey C. Mogul, Larry Masinter, Paul J. Leach, and Yves Lafon. 8746 See Section 10 of [RFC7230] for further acknowledgements from prior 8747 revisions. 8749 In addition, this document has reincorporated the HTTP Authentication 8750 Framework, previously defined in RFC 7235 and RFC 2617. We thank 8751 John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott 8752 D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart 8753 for their work on that specification. See Section 6 of [RFC2617] for 8754 further acknowledgements. 8756 [[newacks: New acks to be added here.]] 8758 Authors' Addresses 8760 Roy T. Fielding (editor) 8761 Adobe 8762 345 Park Ave 8763 San Jose, CA 95110 8764 USA 8766 EMail: fielding@gbiv.com 8767 URI: https://roy.gbiv.com/ 8769 Mark Nottingham (editor) 8770 Fastly 8772 EMail: mnot@mnot.net 8773 URI: https://www.mnot.net/ 8775 Julian F. Reschke (editor) 8776 greenbytes GmbH 8777 Hafenweg 16 8778 Muenster, NW 48155 8779 Germany 8781 EMail: julian.reschke@greenbytes.de 8782 URI: https://greenbytes.de/tech/webdav/