idnits 2.17.1 draft-ietf-httpbis-semantics-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 6 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The abstract seems to indicate that this document obsoletes RFC7615, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7538, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7231, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7232, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7233, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7235, but the header doesn't have an 'Obsoletes:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 8, 2019) is 1752 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2145' is defined on line 7797, but no explicit reference was found in the text == Unused Reference: 'RFC7232' is defined on line 7895, but no explicit reference was found in the text == Unused Reference: 'RFC7233' is defined on line 7900, but no explicit reference was found in the text == Unused Reference: 'RFC7235' is defined on line 7905, but no explicit reference was found in the text == Unused Reference: 'RFC7615' is defined on line 7918, but no explicit reference was found in the text == Unused Reference: 'RFC7617' is defined on line 7928, but no explicit reference was found in the text == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-cache-05 -- Possible downref: Normative reference to a draft: ref. 'Caching' == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-messaging-05 -- Possible downref: Normative reference to a draft: ref. 'Messaging' ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 1950 ** Downref: Normative reference to an Informational RFC: RFC 1951 ** Downref: Normative reference to an Informational RFC: RFC 1952 -- Possible downref: Non-RFC (?) normative reference: ref. 'USASCII' -- Possible downref: Non-RFC (?) normative reference: ref. 'Welch' -- Duplicate reference: RFC2978, mentioned in 'Err5433', was also mentioned in 'Err1912'. -- Obsolete informational reference (is this intentional?): RFC 2068 (Obsoleted by RFC 2616) -- Obsolete informational reference (is this intentional?): RFC 2145 (Obsoleted by RFC 7230) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Duplicate reference: RFC2978, mentioned in 'RFC2978', was also mentioned in 'Err5433'. -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) -- Obsolete informational reference (is this intentional?): RFC 7231 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7232 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7233 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7235 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7538 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7615 (Obsoleted by RFC 9110) Summary: 4 errors (**), 0 flaws (~~), 11 warnings (==), 27 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group R. Fielding, Ed. 3 Internet-Draft Adobe 4 Obsoletes: M. Nottingham, Ed. 5 7230,7231,7232,7233,7235,7538 Fastly 6 ,7615 (if approved) J. Reschke, Ed. 7 Intended status: Standards Track greenbytes 8 Expires: January 9, 2020 July 8, 2019 10 HTTP Semantics 11 draft-ietf-httpbis-semantics-05 13 Abstract 15 The Hypertext Transfer Protocol (HTTP) is a stateless application- 16 level protocol for distributed, collaborative, hypertext information 17 systems. This document defines the semantics of HTTP: its 18 architecture, terminology, the "http" and "https" Uniform Resource 19 Identifier (URI) schemes, core request methods, request header 20 fields, response status codes, response header fields, and content 21 negotiation. 23 This document obsoletes RFC 7231, RFC 7232, RFC 7233, RFC 7235, RFC 24 7538, RFC 7615, and portions of RFC 7230. 26 Editorial Note 28 This note is to be removed before publishing as an RFC. 30 Discussion of this draft takes place on the HTTP working group 31 mailing list (ietf-http-wg@w3.org), which is archived at 32 . 34 Working Group information can be found at ; 35 source code and issues list for this draft can be found at 36 . 38 The changes in this draft are summarized in Appendix I.6. 40 Status of This Memo 42 This Internet-Draft is submitted in full conformance with the 43 provisions of BCP 78 and BCP 79. 45 Internet-Drafts are working documents of the Internet Engineering 46 Task Force (IETF). Note that other groups may also distribute 47 working documents as Internet-Drafts. The list of current Internet- 48 Drafts is at https://datatracker.ietf.org/drafts/current/. 50 Internet-Drafts are draft documents valid for a maximum of six months 51 and may be updated, replaced, or obsoleted by other documents at any 52 time. It is inappropriate to use Internet-Drafts as reference 53 material or to cite them other than as "work in progress." 55 This Internet-Draft will expire on January 9, 2020. 57 Copyright Notice 59 Copyright (c) 2019 IETF Trust and the persons identified as the 60 document authors. All rights reserved. 62 This document is subject to BCP 78 and the IETF Trust's Legal 63 Provisions Relating to IETF Documents 64 (https://trustee.ietf.org/license-info) in effect on the date of 65 publication of this document. Please review these documents 66 carefully, as they describe your rights and restrictions with respect 67 to this document. Code Components extracted from this document must 68 include Simplified BSD License text as described in Section 4.e of 69 the Trust Legal Provisions and are provided without warranty as 70 described in the Simplified BSD License. 72 This document may contain material from IETF Documents or IETF 73 Contributions published or made publicly available before November 74 10, 2008. The person(s) controlling the copyright in some of this 75 material may not have granted the IETF Trust the right to allow 76 modifications of such material outside the IETF Standards Process. 77 Without obtaining an adequate license from the person(s) controlling 78 the copyright in such materials, this document may not be modified 79 outside the IETF Standards Process, and derivative works of it may 80 not be created outside the IETF Standards Process, except to format 81 it for publication as an RFC or to translate it into languages other 82 than English. 84 Table of Contents 86 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 87 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 9 88 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 9 89 2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 10 90 2.1. Client/Server Messaging . . . . . . . . . . . . . . . . . 10 91 2.2. Intermediaries . . . . . . . . . . . . . . . . . . . . . 12 92 2.3. Caches . . . . . . . . . . . . . . . . . . . . . . . . . 14 93 2.4. Uniform Resource Identifiers . . . . . . . . . . . . . . 15 94 2.5. Resources . . . . . . . . . . . . . . . . . . . . . . . . 15 95 2.5.1. http URI Scheme . . . . . . . . . . . . . . . . . . . 16 96 2.5.2. https URI Scheme . . . . . . . . . . . . . . . . . . 17 97 2.5.3. Fragment Identifiers on http(s) URI References . . . 18 98 2.5.4. http and https URI Normalization and Comparison . . . 18 99 3. Conformance . . . . . . . . . . . . . . . . . . . . . . . . . 19 100 3.1. Implementation Diversity . . . . . . . . . . . . . . . . 19 101 3.2. Role-based Requirements . . . . . . . . . . . . . . . . . 20 102 3.3. Parsing Elements . . . . . . . . . . . . . . . . . . . . 20 103 3.4. Error Handling . . . . . . . . . . . . . . . . . . . . . 21 104 3.5. Protocol Versioning . . . . . . . . . . . . . . . . . . . 21 105 4. Message Abstraction . . . . . . . . . . . . . . . . . . . . . 23 106 4.1. Header Field Names . . . . . . . . . . . . . . . . . . . 23 107 4.1.1. Header Field Name Registry . . . . . . . . . . . . . 25 108 4.1.2. Header Field Extensibility . . . . . . . . . . . . . 26 109 4.1.3. Considerations for New Header Fields . . . . . . . . 26 110 4.2. Header Field Values . . . . . . . . . . . . . . . . . . . 27 111 4.2.1. Header Field Order . . . . . . . . . . . . . . . . . 28 112 4.2.2. Header Field Limits . . . . . . . . . . . . . . . . . 29 113 4.2.3. Header Field Value Components . . . . . . . . . . . . 29 114 4.2.4. Designing New Header Field Values . . . . . . . . . . 31 115 4.3. Whitespace . . . . . . . . . . . . . . . . . . . . . . . 32 116 4.4. Trailer . . . . . . . . . . . . . . . . . . . . . . . . . 32 117 5. Message Routing . . . . . . . . . . . . . . . . . . . . . . . 33 118 5.1. Identifying a Target Resource . . . . . . . . . . . . . . 33 119 5.2. Routing Inbound . . . . . . . . . . . . . . . . . . . . . 33 120 5.3. Effective Request URI . . . . . . . . . . . . . . . . . . 34 121 5.4. Host . . . . . . . . . . . . . . . . . . . . . . . . . . 34 122 5.5. Message Forwarding . . . . . . . . . . . . . . . . . . . 35 123 5.5.1. Via . . . . . . . . . . . . . . . . . . . . . . . . . 36 124 5.5.2. Transformations . . . . . . . . . . . . . . . . . . . 38 125 6. Representations . . . . . . . . . . . . . . . . . . . . . . . 39 126 6.1. Representation Data . . . . . . . . . . . . . . . . . . . 39 127 6.1.1. Media Type . . . . . . . . . . . . . . . . . . . . . 40 128 6.1.2. Content Codings . . . . . . . . . . . . . . . . . . . 42 129 6.1.3. Language Tags . . . . . . . . . . . . . . . . . . . . 44 130 6.1.4. Range Units . . . . . . . . . . . . . . . . . . . . . 44 131 6.2. Representation Metadata . . . . . . . . . . . . . . . . . 47 132 6.2.1. Content-Type . . . . . . . . . . . . . . . . . . . . 48 133 6.2.2. Content-Encoding . . . . . . . . . . . . . . . . . . 49 134 6.2.3. Content-Language . . . . . . . . . . . . . . . . . . 50 135 6.2.4. Content-Length . . . . . . . . . . . . . . . . . . . 50 136 6.2.5. Content-Location . . . . . . . . . . . . . . . . . . 52 137 6.3. Payload . . . . . . . . . . . . . . . . . . . . . . . . . 54 138 6.3.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . 54 139 6.3.2. Identification . . . . . . . . . . . . . . . . . . . 54 140 6.3.3. Content-Range . . . . . . . . . . . . . . . . . . . . 55 141 6.3.4. Media Type multipart/byteranges . . . . . . . . . . . 57 142 6.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 59 143 6.4.1. Proactive Negotiation . . . . . . . . . . . . . . . . 60 144 6.4.2. Reactive Negotiation . . . . . . . . . . . . . . . . 61 145 7. Request Methods . . . . . . . . . . . . . . . . . . . . . . . 62 146 7.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 62 147 7.2. Common Method Properties . . . . . . . . . . . . . . . . 64 148 7.2.1. Safe Methods . . . . . . . . . . . . . . . . . . . . 64 149 7.2.2. Idempotent Methods . . . . . . . . . . . . . . . . . 65 150 7.2.3. Cacheable Methods . . . . . . . . . . . . . . . . . . 66 151 7.3. Method Definitions . . . . . . . . . . . . . . . . . . . 66 152 7.3.1. GET . . . . . . . . . . . . . . . . . . . . . . . . . 66 153 7.3.2. HEAD . . . . . . . . . . . . . . . . . . . . . . . . 67 154 7.3.3. POST . . . . . . . . . . . . . . . . . . . . . . . . 67 155 7.3.4. PUT . . . . . . . . . . . . . . . . . . . . . . . . . 68 156 7.3.5. DELETE . . . . . . . . . . . . . . . . . . . . . . . 71 157 7.3.6. CONNECT . . . . . . . . . . . . . . . . . . . . . . . 72 158 7.3.7. OPTIONS . . . . . . . . . . . . . . . . . . . . . . . 73 159 7.3.8. TRACE . . . . . . . . . . . . . . . . . . . . . . . . 74 160 7.4. Method Extensibility . . . . . . . . . . . . . . . . . . 75 161 7.4.1. Method Registry . . . . . . . . . . . . . . . . . . . 75 162 7.4.2. Considerations for New Methods . . . . . . . . . . . 75 163 8. Request Header Fields . . . . . . . . . . . . . . . . . . . . 76 164 8.1. Controls . . . . . . . . . . . . . . . . . . . . . . . . 76 165 8.1.1. Expect . . . . . . . . . . . . . . . . . . . . . . . 77 166 8.1.2. Max-Forwards . . . . . . . . . . . . . . . . . . . . 79 167 8.2. Preconditions . . . . . . . . . . . . . . . . . . . . . . 80 168 8.2.1. Evaluation . . . . . . . . . . . . . . . . . . . . . 81 169 8.2.2. Precedence . . . . . . . . . . . . . . . . . . . . . 82 170 8.2.3. If-Match . . . . . . . . . . . . . . . . . . . . . . 84 171 8.2.4. If-None-Match . . . . . . . . . . . . . . . . . . . . 85 172 8.2.5. If-Modified-Since . . . . . . . . . . . . . . . . . . 86 173 8.2.6. If-Unmodified-Since . . . . . . . . . . . . . . . . . 87 174 8.2.7. If-Range . . . . . . . . . . . . . . . . . . . . . . 88 175 8.3. Range . . . . . . . . . . . . . . . . . . . . . . . . . . 90 176 8.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 91 177 8.4.1. Quality Values . . . . . . . . . . . . . . . . . . . 92 178 8.4.2. Accept . . . . . . . . . . . . . . . . . . . . . . . 93 179 8.4.3. Accept-Charset . . . . . . . . . . . . . . . . . . . 95 180 8.4.4. Accept-Encoding . . . . . . . . . . . . . . . . . . . 96 181 8.4.5. Accept-Language . . . . . . . . . . . . . . . . . . . 97 182 8.5. Authentication Credentials . . . . . . . . . . . . . . . 98 183 8.5.1. Challenge and Response . . . . . . . . . . . . . . . 98 184 8.5.2. Protection Space (Realm) . . . . . . . . . . . . . . 100 185 8.5.3. Authorization . . . . . . . . . . . . . . . . . . . . 101 186 8.5.4. Proxy-Authorization . . . . . . . . . . . . . . . . . 101 187 8.5.5. Authentication Scheme Extensibility . . . . . . . . . 102 188 8.6. Request Context . . . . . . . . . . . . . . . . . . . . . 104 189 8.6.1. From . . . . . . . . . . . . . . . . . . . . . . . . 104 190 8.6.2. Referer . . . . . . . . . . . . . . . . . . . . . . . 105 191 8.6.3. User-Agent . . . . . . . . . . . . . . . . . . . . . 106 192 9. Response Status Codes . . . . . . . . . . . . . . . . . . . . 107 193 9.1. Overview of Status Codes . . . . . . . . . . . . . . . . 108 194 9.2. Informational 1xx . . . . . . . . . . . . . . . . . . . . 109 195 9.2.1. 100 Continue . . . . . . . . . . . . . . . . . . . . 110 196 9.2.2. 101 Switching Protocols . . . . . . . . . . . . . . . 110 197 9.3. Successful 2xx . . . . . . . . . . . . . . . . . . . . . 110 198 9.3.1. 200 OK . . . . . . . . . . . . . . . . . . . . . . . 110 199 9.3.2. 201 Created . . . . . . . . . . . . . . . . . . . . . 111 200 9.3.3. 202 Accepted . . . . . . . . . . . . . . . . . . . . 111 201 9.3.4. 203 Non-Authoritative Information . . . . . . . . . . 112 202 9.3.5. 204 No Content . . . . . . . . . . . . . . . . . . . 112 203 9.3.6. 205 Reset Content . . . . . . . . . . . . . . . . . . 113 204 9.3.7. 206 Partial Content . . . . . . . . . . . . . . . . . 113 205 9.4. Redirection 3xx . . . . . . . . . . . . . . . . . . . . . 116 206 9.4.1. 300 Multiple Choices . . . . . . . . . . . . . . . . 118 207 9.4.2. 301 Moved Permanently . . . . . . . . . . . . . . . . 119 208 9.4.3. 302 Found . . . . . . . . . . . . . . . . . . . . . . 119 209 9.4.4. 303 See Other . . . . . . . . . . . . . . . . . . . . 120 210 9.4.5. 304 Not Modified . . . . . . . . . . . . . . . . . . 120 211 9.4.6. 305 Use Proxy . . . . . . . . . . . . . . . . . . . . 121 212 9.4.7. 306 (Unused) . . . . . . . . . . . . . . . . . . . . 121 213 9.4.8. 307 Temporary Redirect . . . . . . . . . . . . . . . 121 214 9.4.9. 308 Permanent Redirect . . . . . . . . . . . . . . . 122 215 9.5. Client Error 4xx . . . . . . . . . . . . . . . . . . . . 122 216 9.5.1. 400 Bad Request . . . . . . . . . . . . . . . . . . . 122 217 9.5.2. 401 Unauthorized . . . . . . . . . . . . . . . . . . 122 218 9.5.3. 402 Payment Required . . . . . . . . . . . . . . . . 123 219 9.5.4. 403 Forbidden . . . . . . . . . . . . . . . . . . . . 123 220 9.5.5. 404 Not Found . . . . . . . . . . . . . . . . . . . . 123 221 9.5.6. 405 Method Not Allowed . . . . . . . . . . . . . . . 124 222 9.5.7. 406 Not Acceptable . . . . . . . . . . . . . . . . . 124 223 9.5.8. 407 Proxy Authentication Required . . . . . . . . . . 124 224 9.5.9. 408 Request Timeout . . . . . . . . . . . . . . . . . 124 225 9.5.10. 409 Conflict . . . . . . . . . . . . . . . . . . . . 125 226 9.5.11. 410 Gone . . . . . . . . . . . . . . . . . . . . . . 125 227 9.5.12. 411 Length Required . . . . . . . . . . . . . . . . . 125 228 9.5.13. 412 Precondition Failed . . . . . . . . . . . . . . . 126 229 9.5.14. 413 Payload Too Large . . . . . . . . . . . . . . . . 126 230 9.5.15. 414 URI Too Long . . . . . . . . . . . . . . . . . . 126 231 9.5.16. 415 Unsupported Media Type . . . . . . . . . . . . . 126 232 9.5.17. 416 Range Not Satisfiable . . . . . . . . . . . . . . 127 233 9.5.18. 417 Expectation Failed . . . . . . . . . . . . . . . 127 234 9.5.19. 418 (Unused) . . . . . . . . . . . . . . . . . . . . 127 235 9.5.20. 422 Unprocessable Payload . . . . . . . . . . . . . . 128 236 9.5.21. 426 Upgrade Required . . . . . . . . . . . . . . . . 128 237 9.6. Server Error 5xx . . . . . . . . . . . . . . . . . . . . 128 238 9.6.1. 500 Internal Server Error . . . . . . . . . . . . . . 129 239 9.6.2. 501 Not Implemented . . . . . . . . . . . . . . . . . 129 240 9.6.3. 502 Bad Gateway . . . . . . . . . . . . . . . . . . . 129 241 9.6.4. 503 Service Unavailable . . . . . . . . . . . . . . . 129 242 9.6.5. 504 Gateway Timeout . . . . . . . . . . . . . . . . . 129 243 9.6.6. 505 HTTP Version Not Supported . . . . . . . . . . . 129 244 9.7. Status Code Extensibility . . . . . . . . . . . . . . . . 130 245 9.7.1. Status Code Registry . . . . . . . . . . . . . . . . 130 246 9.7.2. Considerations for New Status Codes . . . . . . . . . 130 247 10. Response Header Fields . . . . . . . . . . . . . . . . . . . 131 248 10.1. Control Data . . . . . . . . . . . . . . . . . . . . . . 131 249 10.1.1. Origination Date . . . . . . . . . . . . . . . . . . 132 250 10.1.2. Location . . . . . . . . . . . . . . . . . . . . . . 135 251 10.1.3. Retry-After . . . . . . . . . . . . . . . . . . . . 136 252 10.1.4. Vary . . . . . . . . . . . . . . . . . . . . . . . . 137 253 10.2. Validators . . . . . . . . . . . . . . . . . . . . . . . 138 254 10.2.1. Weak versus Strong . . . . . . . . . . . . . . . . . 139 255 10.2.2. Last-Modified . . . . . . . . . . . . . . . . . . . 140 256 10.2.3. ETag . . . . . . . . . . . . . . . . . . . . . . . . 142 257 10.2.4. When to Use Entity-Tags and Last-Modified Dates . . 146 258 10.3. Authentication Challenges . . . . . . . . . . . . . . . 146 259 10.3.1. WWW-Authenticate . . . . . . . . . . . . . . . . . . 147 260 10.3.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . 148 261 10.3.3. Authentication-Info . . . . . . . . . . . . . . . . 148 262 10.3.4. Proxy-Authentication-Info . . . . . . . . . . . . . 149 263 10.4. Response Context . . . . . . . . . . . . . . . . . . . . 150 264 10.4.1. Accept-Ranges . . . . . . . . . . . . . . . . . . . 150 265 10.4.2. Allow . . . . . . . . . . . . . . . . . . . . . . . 150 266 10.4.3. Server . . . . . . . . . . . . . . . . . . . . . . . 151 267 11. ABNF List Extension: #rule . . . . . . . . . . . . . . . . . 152 268 11.1. Sender Requirements . . . . . . . . . . . . . . . . . . 152 269 11.2. Recipient Requirements . . . . . . . . . . . . . . . . . 152 270 12. Security Considerations . . . . . . . . . . . . . . . . . . . 153 271 12.1. Establishing Authority . . . . . . . . . . . . . . . . . 153 272 12.2. Risks of Intermediaries . . . . . . . . . . . . . . . . 154 273 12.3. Attacks Based on File and Path Names . . . . . . . . . . 155 274 12.4. Attacks Based on Command, Code, or Query Injection . . . 155 275 12.5. Attacks via Protocol Element Length . . . . . . . . . . 156 276 12.6. Disclosure of Personal Information . . . . . . . . . . . 156 277 12.7. Privacy of Server Log Information . . . . . . . . . . . 157 278 12.8. Disclosure of Sensitive Information in URIs . . . . . . 157 279 12.9. Disclosure of Fragment after Redirects . . . . . . . . . 158 280 12.10. Disclosure of Product Information . . . . . . . . . . . 158 281 12.11. Browser Fingerprinting . . . . . . . . . . . . . . . . . 158 282 12.12. Validator Retention . . . . . . . . . . . . . . . . . . 159 283 12.13. Denial-of-Service Attacks Using Range . . . . . . . . . 160 284 12.14. Authentication Considerations . . . . . . . . . . . . . 160 285 12.14.1. Confidentiality of Credentials . . . . . . . . . . 160 286 12.14.2. Credentials and Idle Clients . . . . . . . . . . . 161 287 12.14.3. Protection Spaces . . . . . . . . . . . . . . . . . 161 288 12.14.4. Additional Response Header Fields . . . . . . . . . 162 289 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 162 290 13.1. URI Scheme Registration . . . . . . . . . . . . . . . . 162 291 13.2. Method Registration . . . . . . . . . . . . . . . . . . 162 292 13.3. Status Code Registration . . . . . . . . . . . . . . . . 162 293 13.4. Header Field Registration . . . . . . . . . . . . . . . 163 294 13.5. Authentication Scheme Registration . . . . . . . . . . . 163 295 13.6. Content Coding Registration . . . . . . . . . . . . . . 163 296 13.7. Range Unit Registration . . . . . . . . . . . . . . . . 164 297 13.8. Media Type Registration . . . . . . . . . . . . . . . . 164 298 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 164 299 14.1. Normative References . . . . . . . . . . . . . . . . . . 164 300 14.2. Informative References . . . . . . . . . . . . . . . . . 166 301 Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 172 302 Appendix B. Changes from RFC 7230 . . . . . . . . . . . . . . . 176 303 Appendix C. Changes from RFC 7231 . . . . . . . . . . . . . . . 177 304 Appendix D. Changes from RFC 7232 . . . . . . . . . . . . . . . 177 305 Appendix E. Changes from RFC 7233 . . . . . . . . . . . . . . . 177 306 Appendix F. Changes from RFC 7235 . . . . . . . . . . . . . . . 177 307 Appendix G. Changes from RFC 7538 . . . . . . . . . . . . . . . 177 308 Appendix H. Changes from RFC 7615 . . . . . . . . . . . . . . . 177 309 Appendix I. Change Log . . . . . . . . . . . . . . . . . . . . . 177 310 I.1. Between RFC723x and draft 00 . . . . . . . . . . . . . . 177 311 I.2. Since draft-ietf-httpbis-semantics-00 . . . . . . . . . . 178 312 I.3. Since draft-ietf-httpbis-semantics-01 . . . . . . . . . . 178 313 I.4. Since draft-ietf-httpbis-semantics-02 . . . . . . . . . . 180 314 I.5. Since draft-ietf-httpbis-semantics-03 . . . . . . . . . . 180 315 I.6. Since draft-ietf-httpbis-semantics-04 . . . . . . . . . . 181 316 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 317 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 190 318 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 190 320 1. Introduction 322 The Hypertext Transfer Protocol (HTTP) is a stateless application- 323 level request/response protocol that uses extensible semantics and 324 self-descriptive messages for flexible interaction with network-based 325 hypertext information systems. HTTP is defined by a series of 326 documents that collectively form the HTTP/1.1 specification: 328 o "HTTP Semantics" (this document) 330 o "HTTP Caching" [Caching] 332 o "HTTP/1.1 Messaging" [Messaging] 334 HTTP is a generic interface protocol for information systems. It is 335 designed to hide the details of how a service is implemented by 336 presenting a uniform interface to clients that is independent of the 337 types of resources provided. Likewise, servers do not need to be 338 aware of each client's purpose: an HTTP request can be considered in 339 isolation rather than being associated with a specific type of client 340 or a predetermined sequence of application steps. The result is a 341 protocol that can be used effectively in many different contexts and 342 for which implementations can evolve independently over time. 344 HTTP is also designed for use as an intermediation protocol for 345 translating communication to and from non-HTTP information systems. 346 HTTP proxies and gateways can provide access to alternative 347 information services by translating their diverse protocols into a 348 hypertext format that can be viewed and manipulated by clients in the 349 same way as HTTP services. 351 One consequence of this flexibility is that the protocol cannot be 352 defined in terms of what occurs behind the interface. Instead, we 353 are limited to defining the syntax of communication, the intent of 354 received communication, and the expected behavior of recipients. If 355 the communication is considered in isolation, then successful actions 356 ought to be reflected in corresponding changes to the observable 357 interface provided by servers. However, since multiple clients might 358 act in parallel and perhaps at cross-purposes, we cannot require that 359 such changes be observable beyond the scope of a single response. 361 Each HTTP message is either a request or a response. A server 362 listens on a connection for a request, parses each message received, 363 interprets the message semantics in relation to the identified 364 request target, and responds to that request with one or more 365 response messages. A client constructs request messages to 366 communicate specific intentions, examines received responses to see 367 if the intentions were carried out, and determines how to interpret 368 the results. 370 HTTP provides a uniform interface for interacting with a resource 371 (Section 2.5), regardless of its type, nature, or implementation, via 372 the manipulation and transfer of representations (Section 6). 374 This document defines semantics that are common to all versions of 375 HTTP. HTTP semantics include the intentions defined by each request 376 method (Section 7), extensions to those semantics that might be 377 described in request header fields (Section 8), the meaning of status 378 codes to indicate a machine-readable response (Section 9), and the 379 meaning of other control data and resource metadata that might be 380 given in response header fields (Section 10). 382 This document also defines representation metadata that describe how 383 a payload is intended to be interpreted by a recipient, the request 384 header fields that might influence content selection, and the various 385 selection algorithms that are collectively referred to as "content 386 negotiation" (Section 6.4). 388 This document defines HTTP range requests, partial responses, and the 389 multipart/byteranges media type. 391 This document obsoletes the portions of RFC 7230 that are independent 392 of the HTTP/1.1 messaging syntax and connection management, with the 393 changes being summarized in Appendix B. The other parts of RFC 7230 394 are obsoleted by "HTTP/1.1 Messaging" [Messaging]. This document 395 also obsoletes RFC 7231 (see Appendix C), RFC 7232 (see Appendix D), 396 RFC 7233 (see Appendix E), RFC 7235 (see Appendix F), RFC 7538 (see 397 Appendix G), and RFC 7615 (see Appendix H). 399 1.1. Requirements Notation 401 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 402 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 403 document are to be interpreted as described in [RFC2119]. 405 Conformance criteria and considerations regarding error handling are 406 defined in Section 3. 408 1.2. Syntax Notation 410 This specification uses the Augmented Backus-Naur Form (ABNF) 411 notation of [RFC5234], extended with the notation for case- 412 sensitivity in strings defined in [RFC7405]. 414 It also uses a list extension, defined in Section 11, that allows for 415 compact definition of comma-separated lists using a '#' operator 416 (similar to how the '*' operator indicates repetition). Appendix A 417 shows the collected grammar with all list operators expanded to 418 standard ABNF notation. 420 As a convention, ABNF rule names prefixed with "obs-" denote 421 "obsolete" grammar rules that appear for historical reasons. 423 The following core rules are included by reference, as defined in 424 Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return), 425 CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double 426 quote), HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF 427 (line feed), OCTET (any 8-bit sequence of data), SP (space), and 428 VCHAR (any visible US-ASCII character). 430 Section 4.2.3 defines some generic syntactic components for header 431 field values. 433 The rules below are defined in [Messaging]: 435 obs-fold = 436 protocol-name = 437 protocol-version = 438 request-target = 440 This specification uses the terms "character", "character encoding 441 scheme", "charset", and "protocol element" as they are defined in 442 [RFC6365]. 444 2. Architecture 446 HTTP was created for the World Wide Web (WWW) architecture and has 447 evolved over time to support the scalability needs of a worldwide 448 hypertext system. Much of that architecture is reflected in the 449 terminology and syntax productions used to define HTTP. 451 2.1. Client/Server Messaging 453 HTTP is a stateless request/response protocol that operates by 454 exchanging messages (Section 2 of [Messaging]) across a reliable 455 transport- or session-layer "connection" (Section 9 of [Messaging]). 456 An HTTP "client" is a program that establishes a connection to a 457 server for the purpose of sending one or more HTTP requests. An HTTP 458 "server" is a program that accepts connections in order to service 459 HTTP requests by sending HTTP responses. 461 The terms "client" and "server" refer only to the roles that these 462 programs perform for a particular connection. The same program might 463 act as a client on some connections and a server on others. The term 464 "user agent" refers to any of the various client programs that 465 initiate a request, including (but not limited to) browsers, spiders 466 (web-based robots), command-line tools, custom applications, and 467 mobile apps. The term "origin server" refers to the program that can 468 originate authoritative responses for a given target resource. The 469 terms "sender" and "recipient" refer to any implementation that sends 470 or receives a given message, respectively. 472 HTTP relies upon the Uniform Resource Identifier (URI) standard 473 [RFC3986] to indicate the target resource (Section 5.1) and 474 relationships between resources. 476 Most HTTP communication consists of a retrieval request (GET) for a 477 representation of some resource identified by a URI. In the simplest 478 case, this might be accomplished via a single bidirectional 479 connection (===) between the user agent (UA) and the origin server 480 (O). 482 request > 483 UA ======================================= O 484 < response 486 A client sends an HTTP request to a server in the form of a request 487 message, beginning with a method (Section 7) and URI, followed by 488 header fields containing request modifiers, client information, and 489 representation metadata (Section 5 of [Messaging]), and finally a 490 message body containing the payload body (if any, Section 6 of 491 [Messaging]). 493 A server responds to a client's request by sending one or more HTTP 494 response messages, each beginning with a success or error code 495 (Section 9), possibly followed by header fields containing server 496 information, resource metadata, and representation metadata 497 (Section 5 of [Messaging]), and finally a message body containing the 498 payload body (if any, Section 6 of [Messaging]). 500 A connection might be used for multiple request/response exchanges. 501 The mechanism used to correlate between request and response messages 502 is version dependent; some versions of HTTP use implicit ordering of 503 messages, while others use an explicit identifier. 505 Responses (both final and non-final) can be sent at any time after a 506 request is received, even if it is not yet complete. However, 507 clients (including intermediaries) might abandon a request if the 508 response is not forthcoming within a reasonable period of time. 510 The following example illustrates a typical message exchange for a 511 GET request (Section 7.3.1) on the URI "http://www.example.com/ 512 hello.txt": 514 Client request: 516 GET /hello.txt HTTP/1.1 517 User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3 518 Host: www.example.com 519 Accept-Language: en, mi 521 Server response: 523 HTTP/1.1 200 OK 524 Date: Mon, 27 Jul 2009 12:28:53 GMT 525 Server: Apache 526 Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT 527 ETag: "34aa387-d-1568eb00" 528 Accept-Ranges: bytes 529 Content-Length: 51 530 Vary: Accept-Encoding 531 Content-Type: text/plain 533 Hello World! My payload includes a trailing CRLF. 535 2.2. Intermediaries 537 HTTP enables the use of intermediaries to satisfy requests through a 538 chain of connections. There are three common forms of HTTP 539 intermediary: proxy, gateway, and tunnel. In some cases, a single 540 intermediary might act as an origin server, proxy, gateway, or 541 tunnel, switching behavior based on the nature of each request. 543 > > > > 544 UA =========== A =========== B =========== C =========== O 545 < < < < 547 The figure above shows three intermediaries (A, B, and C) between the 548 user agent and origin server. A request or response message that 549 travels the whole chain will pass through four separate connections. 550 Some HTTP communication options might apply only to the connection 551 with the nearest, non-tunnel neighbor, only to the endpoints of the 552 chain, or to all connections along the chain. Although the diagram 553 is linear, each participant might be engaged in multiple, 554 simultaneous communications. For example, B might be receiving 555 requests from many clients other than A, and/or forwarding requests 556 to servers other than C, at the same time that it is handling A's 557 request. Likewise, later requests might be sent through a different 558 path of connections, often based on dynamic configuration for load 559 balancing. 561 The terms "upstream" and "downstream" are used to describe 562 directional requirements in relation to the message flow: all 563 messages flow from upstream to downstream. The terms "inbound" and 564 "outbound" are used to describe directional requirements in relation 565 to the request route: "inbound" means toward the origin server and 566 "outbound" means toward the user agent. 568 A "proxy" is a message-forwarding agent that is selected by the 569 client, usually via local configuration rules, to receive requests 570 for some type(s) of absolute URI and attempt to satisfy those 571 requests via translation through the HTTP interface. Some 572 translations are minimal, such as for proxy requests for "http" URIs, 573 whereas other requests might require translation to and from entirely 574 different application-level protocols. Proxies are often used to 575 group an organization's HTTP requests through a common intermediary 576 for the sake of security, annotation services, or shared caching. 577 Some proxies are designed to apply transformations to selected 578 messages or payloads while they are being forwarded, as described in 579 Section 5.5.2. 581 A "gateway" (a.k.a. "reverse proxy") is an intermediary that acts as 582 an origin server for the outbound connection but translates received 583 requests and forwards them inbound to another server or servers. 584 Gateways are often used to encapsulate legacy or untrusted 585 information services, to improve server performance through 586 "accelerator" caching, and to enable partitioning or load balancing 587 of HTTP services across multiple machines. 589 All HTTP requirements applicable to an origin server also apply to 590 the outbound communication of a gateway. A gateway communicates with 591 inbound servers using any protocol that it desires, including private 592 extensions to HTTP that are outside the scope of this specification. 593 However, an HTTP-to-HTTP gateway that wishes to interoperate with 594 third-party HTTP servers ought to conform to user agent requirements 595 on the gateway's inbound connection. 597 A "tunnel" acts as a blind relay between two connections without 598 changing the messages. Once active, a tunnel is not considered a 599 party to the HTTP communication, though the tunnel might have been 600 initiated by an HTTP request. A tunnel ceases to exist when both 601 ends of the relayed connection are closed. Tunnels are used to 602 extend a virtual connection through an intermediary, such as when 603 Transport Layer Security (TLS, [RFC5246]) is used to establish 604 confidential communication through a shared firewall proxy. 606 The above categories for intermediary only consider those acting as 607 participants in the HTTP communication. There are also 608 intermediaries that can act on lower layers of the network protocol 609 stack, filtering or redirecting HTTP traffic without the knowledge or 610 permission of message senders. Network intermediaries are 611 indistinguishable (at a protocol level) from a man-in-the-middle 612 attack, often introducing security flaws or interoperability problems 613 due to mistakenly violating HTTP semantics. 615 For example, an "interception proxy" [RFC3040] (also commonly known 616 as a "transparent proxy" [RFC1919] or "captive portal") differs from 617 an HTTP proxy because it is not selected by the client. Instead, an 618 interception proxy filters or redirects outgoing TCP port 80 packets 619 (and occasionally other common port traffic). Interception proxies 620 are commonly found on public network access points, as a means of 621 enforcing account subscription prior to allowing use of non-local 622 Internet services, and within corporate firewalls to enforce network 623 usage policies. 625 HTTP is defined as a stateless protocol, meaning that each request 626 message can be understood in isolation. Many implementations depend 627 on HTTP's stateless design in order to reuse proxied connections or 628 dynamically load balance requests across multiple servers. Hence, a 629 server MUST NOT assume that two requests on the same connection are 630 from the same user agent unless the connection is secured and 631 specific to that agent. Some non-standard HTTP extensions (e.g., 632 [RFC4559]) have been known to violate this requirement, resulting in 633 security and interoperability problems. 635 2.3. Caches 637 A "cache" is a local store of previous response messages and the 638 subsystem that controls its message storage, retrieval, and deletion. 639 A cache stores cacheable responses in order to reduce the response 640 time and network bandwidth consumption on future, equivalent 641 requests. Any client or server MAY employ a cache, though a cache 642 cannot be used by a server while it is acting as a tunnel. 644 The effect of a cache is that the request/response chain is shortened 645 if one of the participants along the chain has a cached response 646 applicable to that request. The following illustrates the resulting 647 chain if B has a cached copy of an earlier response from O (via C) 648 for a request that has not been cached by UA or A. 650 > > 651 UA =========== A =========== B - - - - - - C - - - - - - O 652 < < 654 A response is "cacheable" if a cache is allowed to store a copy of 655 the response message for use in answering subsequent requests. Even 656 when a response is cacheable, there might be additional constraints 657 placed by the client or by the origin server on when that cached 658 response can be used for a particular request. HTTP requirements for 659 cache behavior and cacheable responses are defined in Section 2 of 660 [Caching]. 662 There is a wide variety of architectures and configurations of caches 663 deployed across the World Wide Web and inside large organizations. 664 These include national hierarchies of proxy caches to save 665 transoceanic bandwidth, collaborative systems that broadcast or 666 multicast cache entries, archives of pre-fetched cache entries for 667 use in off-line or high-latency environments, and so on. 669 2.4. Uniform Resource Identifiers 671 Uniform Resource Identifiers (URIs) [RFC3986] are used throughout 672 HTTP as the means for identifying resources (Section 2.5). URI 673 references are used to target requests, indicate redirects, and 674 define relationships. 676 The definitions of "URI-reference", "absolute-URI", "relative-part", 677 "authority", "port", "host", "path-abempty", "segment", and "query" 678 are adopted from the URI generic syntax. An "absolute-path" rule is 679 defined for protocol elements that can contain a non-empty path 680 component. (This rule differs slightly from the path-abempty rule of 681 RFC 3986, which allows for an empty path to be used in references, 682 and path-absolute rule, which does not allow paths that begin with 683 "//".) A "partial-URI" rule is defined for protocol elements that 684 can contain a relative URI but not a fragment component. 686 URI-reference = 687 absolute-URI = 688 relative-part = 689 authority = 690 uri-host = 691 port = 692 path-abempty = 693 segment = 694 query = 696 absolute-path = 1*( "/" segment ) 697 partial-URI = relative-part [ "?" query ] 699 Each protocol element in HTTP that allows a URI reference will 700 indicate in its ABNF production whether the element allows any form 701 of reference (URI-reference), only a URI in absolute form (absolute- 702 URI), only the path and optional query components, or some 703 combination of the above. Unless otherwise indicated, URI references 704 are parsed relative to the effective request URI (Section 5.3). 706 2.5. Resources 708 The target of an HTTP request is called a "resource". HTTP does not 709 limit the nature of a resource; it merely defines an interface that 710 might be used to interact with resources. Each resource is 711 identified by a Uniform Resource Identifier (URI), as described in 712 Section 2.4. 714 One design goal of HTTP is to separate resource identification from 715 request semantics, which is made possible by vesting the request 716 semantics in the request method (Section 7) and a few request- 717 modifying header fields (Section 8). If there is a conflict between 718 the method semantics and any semantic implied by the URI itself, as 719 described in Section 7.2.1, the method semantics take precedence. 721 IANA maintains the registry of URI Schemes [BCP35] at 722 . Although requests 723 might target any URI scheme, the following schemes are inherent to 724 HTTP servers: 726 +------------+------------------------------------+---------------+ 727 | URI Scheme | Description | Reference | 728 +------------+------------------------------------+---------------+ 729 | http | Hypertext Transfer Protocol | Section 2.5.1 | 730 | https | Hypertext Transfer Protocol Secure | Section 2.5.2 | 731 +------------+------------------------------------+---------------+ 733 2.5.1. http URI Scheme 735 The "http" URI scheme is hereby defined for the purpose of minting 736 identifiers according to their association with the hierarchical 737 namespace governed by a potential HTTP origin server listening for 738 TCP ([RFC0793]) connections on a given port. 740 http-URI = "http:" "//" authority path-abempty [ "?" query ] 742 The origin server for an "http" URI is identified by the authority 743 component, which includes a host identifier and optional TCP port 744 ([RFC3986], Section 3.2.2). The hierarchical path component and 745 optional query component serve as an identifier for a potential 746 target resource within that origin server's name space. 748 A sender MUST NOT generate an "http" URI with an empty host 749 identifier. A recipient that processes such a URI reference MUST 750 reject it as invalid. 752 If the host identifier is provided as an IP address, the origin 753 server is the listener (if any) on the indicated TCP port at that IP 754 address. If host is a registered name, the registered name is an 755 indirect identifier for use with a name resolution service, such as 756 DNS, to find an address for that origin server. If the port 757 subcomponent is empty or not given, TCP port 80 (the reserved port 758 for WWW services) is the default. 760 Note that the presence of a URI with a given authority component does 761 not imply that there is always an HTTP server listening for 762 connections on that host and port. Anyone can mint a URI. What the 763 authority component determines is who has the right to respond 764 authoritatively to requests that target the identified resource. The 765 delegated nature of registered names and IP addresses creates a 766 federated namespace, based on control over the indicated host and 767 port, whether or not an HTTP server is present. See Section 12.1 for 768 security considerations related to establishing authority. 770 When an "http" URI is used within a context that calls for access to 771 the indicated resource, a client MAY attempt access by resolving the 772 host to an IP address, establishing a TCP connection to that address 773 on the indicated port, and sending an HTTP request message (Section 2 774 of [Messaging]) containing the URI's identifying data to the server. 775 If the server responds to that request with a non-interim HTTP 776 response message, as described in Section 9, then that response is 777 considered an authoritative answer to the client's request. 779 Although HTTP is independent of the transport protocol, the "http" 780 scheme is specific to TCP-based services because the name delegation 781 process depends on TCP for establishing authority. An HTTP service 782 based on some other underlying connection protocol would presumably 783 be identified using a different URI scheme, just as the "https" 784 scheme (below) is used for resources that require an end-to-end 785 secured connection. Other protocols might also be used to provide 786 access to "http" identified resources -- it is only the authoritative 787 interface that is specific to TCP. 789 The URI generic syntax for authority also includes a deprecated 790 userinfo subcomponent ([RFC3986], Section 3.2.1) for including user 791 authentication information in the URI. Some implementations make use 792 of the userinfo component for internal configuration of 793 authentication information, such as within command invocation 794 options, configuration files, or bookmark lists, even though such 795 usage might expose a user identifier or password. A sender MUST NOT 796 generate the userinfo subcomponent (and its "@" delimiter) when an 797 "http" URI reference is generated within a message as a request 798 target or header field value. Before making use of an "http" URI 799 reference received from an untrusted source, a recipient SHOULD parse 800 for userinfo and treat its presence as an error; it is likely being 801 used to obscure the authority for the sake of phishing attacks. 803 2.5.2. https URI Scheme 805 The "https" URI scheme is hereby defined for the purpose of minting 806 identifiers according to their association with the hierarchical 807 namespace governed by a potential HTTP origin server listening to a 808 given TCP port for TLS-secured connections ([RFC5246]). 810 All of the requirements listed above for the "http" scheme are also 811 requirements for the "https" scheme, except that TCP port 443 is the 812 default if the port subcomponent is empty or not given, and the user 813 agent MUST ensure that its connection to the origin server is secured 814 through the use of strong encryption, end-to-end, prior to sending 815 the first HTTP request. 817 https-URI = "https:" "//" authority path-abempty [ "?" query ] 819 Note that the "https" URI scheme depends on both TLS and TCP for 820 establishing authority. Resources made available via the "https" 821 scheme have no shared identity with the "http" scheme even if their 822 resource identifiers indicate the same authority (the same host 823 listening to the same TCP port). They are distinct namespaces and 824 are considered to be distinct origin servers. However, an extension 825 to HTTP that is defined to apply to entire host domains, such as the 826 Cookie protocol [RFC6265], can allow information set by one service 827 to impact communication with other services within a matching group 828 of host domains. 830 The process for authoritative access to an "https" identified 831 resource is defined in [RFC2818]. 833 2.5.3. Fragment Identifiers on http(s) URI References 835 Fragment identifiers allow for indirect identification of a secondary 836 resource, independent of the URI scheme, as defined in Section 3.5 of 837 [RFC3986]. Some protocol elements that refer to a URI allow 838 inclusion of a fragment, while others do not. They are distinguished 839 by use of the ABNF rule for elements where fragment is allowed; 840 otherwise, a specific rule that excludes fragments is used (see 841 Section 5.1). 843 Note: the fragment identifier component is not part of the actual 844 scheme definition for a URI scheme (see Section 4.3 of [RFC3986]), 845 thus does not appear in the ABNF definitions for the "http" and 846 "https" URI schemes above. 848 2.5.4. http and https URI Normalization and Comparison 850 Since the "http" and "https" schemes conform to the URI generic 851 syntax, such URIs are normalized and compared according to the 852 algorithm defined in Section 6 of [RFC3986], using the defaults 853 described above for each scheme. 855 If the port is equal to the default port for a scheme, the normal 856 form is to omit the port subcomponent. When not being used in 857 absolute form as the request target of an OPTIONS request, an empty 858 path component is equivalent to an absolute path of "/", so the 859 normal form is to provide a path of "/" instead. The scheme and host 860 are case-insensitive and normally provided in lowercase; all other 861 components are compared in a case-sensitive manner. Characters other 862 than those in the "reserved" set are equivalent to their percent- 863 encoded octets: the normal form is to not encode them (see Sections 864 2.1 and 2.2 of [RFC3986]). 866 For example, the following three URIs are equivalent: 868 http://example.com:80/~smith/home.html 869 http://EXAMPLE.com/%7Esmith/home.html 870 http://EXAMPLE.com:/%7esmith/home.html 872 3. Conformance 874 3.1. Implementation Diversity 876 When considering the design of HTTP, it is easy to fall into a trap 877 of thinking that all user agents are general-purpose browsers and all 878 origin servers are large public websites. That is not the case in 879 practice. Common HTTP user agents include household appliances, 880 stereos, scales, firmware update scripts, command-line programs, 881 mobile apps, and communication devices in a multitude of shapes and 882 sizes. Likewise, common HTTP origin servers include home automation 883 units, configurable networking components, office machines, 884 autonomous robots, news feeds, traffic cameras, ad selectors, and 885 video-delivery platforms. 887 The term "user agent" does not imply that there is a human user 888 directly interacting with the software agent at the time of a 889 request. In many cases, a user agent is installed or configured to 890 run in the background and save its results for later inspection (or 891 save only a subset of those results that might be interesting or 892 erroneous). Spiders, for example, are typically given a start URI 893 and configured to follow certain behavior while crawling the Web as a 894 hypertext graph. 896 The implementation diversity of HTTP means that not all user agents 897 can make interactive suggestions to their user or provide adequate 898 warning for security or privacy concerns. In the few cases where 899 this specification requires reporting of errors to the user, it is 900 acceptable for such reporting to only be observable in an error 901 console or log file. Likewise, requirements that an automated action 902 be confirmed by the user before proceeding might be met via advance 903 configuration choices, run-time options, or simple avoidance of the 904 unsafe action; confirmation does not imply any specific user 905 interface or interruption of normal processing if the user has 906 already made that choice. 908 3.2. Role-based Requirements 910 This specification targets conformance criteria according to the role 911 of a participant in HTTP communication. Hence, HTTP requirements are 912 placed on senders, recipients, clients, servers, user agents, 913 intermediaries, origin servers, proxies, gateways, or caches, 914 depending on what behavior is being constrained by the requirement. 915 Additional (social) requirements are placed on implementations, 916 resource owners, and protocol element registrations when they apply 917 beyond the scope of a single communication. 919 The verb "generate" is used instead of "send" where a requirement 920 differentiates between creating a protocol element and merely 921 forwarding a received element downstream. 923 An implementation is considered conformant if it complies with all of 924 the requirements associated with the roles it partakes in HTTP. 926 Conformance includes both the syntax and semantics of protocol 927 elements. A sender MUST NOT generate protocol elements that convey a 928 meaning that is known by that sender to be false. A sender MUST NOT 929 generate protocol elements that do not match the grammar defined by 930 the corresponding ABNF rules. Within a given message, a sender MUST 931 NOT generate protocol elements or syntax alternatives that are only 932 allowed to be generated by participants in other roles (i.e., a role 933 that the sender does not have for that message). 935 3.3. Parsing Elements 937 When a received protocol element is parsed, the recipient MUST be 938 able to parse any value of reasonable length that is applicable to 939 the recipient's role and that matches the grammar defined by the 940 corresponding ABNF rules. Note, however, that some received protocol 941 elements might not be parsed. For example, an intermediary 942 forwarding a message might parse a header-field into generic field- 943 name and field-value components, but then forward the header field 944 without further parsing inside the field-value. 946 HTTP does not have specific length limitations for many of its 947 protocol elements because the lengths that might be appropriate will 948 vary widely, depending on the deployment context and purpose of the 949 implementation. Hence, interoperability between senders and 950 recipients depends on shared expectations regarding what is a 951 reasonable length for each protocol element. Furthermore, what is 952 commonly understood to be a reasonable length for some protocol 953 elements has changed over the course of the past two decades of HTTP 954 use and is expected to continue changing in the future. 956 At a minimum, a recipient MUST be able to parse and process protocol 957 element lengths that are at least as long as the values that it 958 generates for those same protocol elements in other messages. For 959 example, an origin server that publishes very long URI references to 960 its own resources needs to be able to parse and process those same 961 references when received as a request target. 963 3.4. Error Handling 965 A recipient MUST interpret a received protocol element according to 966 the semantics defined for it by this specification, including 967 extensions to this specification, unless the recipient has determined 968 (through experience or configuration) that the sender incorrectly 969 implements what is implied by those semantics. For example, an 970 origin server might disregard the contents of a received Accept- 971 Encoding header field if inspection of the User-Agent header field 972 indicates a specific implementation version that is known to fail on 973 receipt of certain content codings. 975 Unless noted otherwise, a recipient MAY attempt to recover a usable 976 protocol element from an invalid construct. HTTP does not define 977 specific error handling mechanisms except when they have a direct 978 impact on security, since different applications of the protocol 979 require different error handling strategies. For example, a Web 980 browser might wish to transparently recover from a response where the 981 Location header field doesn't parse according to the ABNF, whereas a 982 systems control client might consider any form of error recovery to 983 be dangerous. 985 3.5. Protocol Versioning 987 The HTTP version number consists of two decimal digits separated by a 988 "." (period or decimal point). The first digit ("major version") 989 indicates the HTTP messaging syntax, whereas the second digit ("minor 990 version") indicates the highest minor version within that major 991 version to which the sender is conformant and able to understand for 992 future communication. 994 The protocol version as a whole indicates the sender's conformance 995 with the set of requirements laid out in that version's corresponding 996 specification of HTTP. For example, the version "HTTP/1.1" is 997 defined by the combined specifications of this document, "HTTP 998 Caching" [Caching], and "HTTP/1.1 Messaging" [Messaging]. 1000 The minor version advertises the sender's communication capabilities 1001 even when the sender is only using a backwards-compatible subset of 1002 the protocol, thereby letting the recipient know that more advanced 1003 features can be used in response (by servers) or in future requests 1004 (by clients). 1006 A client SHOULD send a request version equal to the highest version 1007 to which the client is conformant and whose major version is no 1008 higher than the highest version supported by the server, if this is 1009 known. A client MUST NOT send a version to which it is not 1010 conformant. 1012 A client MAY send a lower request version if it is known that the 1013 server incorrectly implements the HTTP specification, but only after 1014 the client has attempted at least one normal request and determined 1015 from the response status code or header fields (e.g., Server) that 1016 the server improperly handles higher request versions. 1018 A server SHOULD send a response version equal to the highest version 1019 to which the server is conformant that has a major version less than 1020 or equal to the one received in the request. A server MUST NOT send 1021 a version to which it is not conformant. A server can send a 505 1022 (HTTP Version Not Supported) response if it wishes, for any reason, 1023 to refuse service of the client's major protocol version. 1025 HTTP's major version number is incremented when an incompatible 1026 message syntax is introduced. The minor number is incremented when 1027 changes made to the protocol have the effect of adding to the message 1028 semantics or implying additional capabilities of the sender. 1030 When an HTTP message is received with a major version number that the 1031 recipient implements, but a higher minor version number than what the 1032 recipient implements, the recipient SHOULD process the message as if 1033 it were in the highest minor version within that major version to 1034 which the recipient is conformant. A recipient can assume that a 1035 message with a higher minor version, when sent to a recipient that 1036 has not yet indicated support for that higher version, is 1037 sufficiently backwards-compatible to be safely processed by any 1038 implementation of the same major version. 1040 When a major version of HTTP does not define any minor versions, the 1041 minor version "0" is implied and is used when referring to that 1042 protocol within a protocol element that requires sending a minor 1043 version. 1045 4. Message Abstraction 1047 Each major version of HTTP defines its own syntax for the inclusion 1048 of information in messages. Nevertheless, a common abstraction is 1049 that a message includes some form of envelope/framing, a potential 1050 set of named data fields, and a potential body. This section defines 1051 the abstraction for message fields as field-name and field-value 1052 pairs. 1054 4.1. Header Field Names 1056 Header fields are key:value pairs that can be used to communicate 1057 data about the message, its payload, the target resource, or the 1058 connection (i.e., control data). 1060 The requirements for header field names are defined in [BCP90]. 1062 The field-name token labels the corresponding field-value as having 1063 the semantics defined by that header field. For example, the Date 1064 header field is defined in Section 10.1.1.2 as containing the 1065 origination timestamp for the message in which it appears. 1067 field-name = token 1069 The interpretation of a header field does not change between minor 1070 versions of the same major HTTP version, though the default behavior 1071 of a recipient in the absence of such a field can change. Unless 1072 specified otherwise, header fields are defined for all versions of 1073 HTTP. In particular, the Host and Connection header fields ought to 1074 be implemented by all HTTP/1.x implementations whether or not they 1075 advertise conformance with HTTP/1.1. 1077 New header fields can be introduced without changing the protocol 1078 version if their defined semantics allow them to be safely ignored by 1079 recipients that do not recognize them. Header field extensibility is 1080 discussed in Section 4.1.2. 1082 The following field names are defined by this document: 1084 +---------------------------+------------+-------------------+ 1085 | Header Field Name | Status | Reference | 1086 +---------------------------+------------+-------------------+ 1087 | Accept | standard | Section 8.4.2 | 1088 | Accept-Charset | deprecated | Section 8.4.3 | 1089 | Accept-Encoding | standard | Section 8.4.4 | 1090 | Accept-Language | standard | Section 8.4.5 | 1091 | Accept-Ranges | standard | Section 10.4.1 | 1092 | Allow | standard | Section 10.4.2 | 1093 | Authentication-Info | standard | Section 10.3.3 | 1094 | Authorization | standard | Section 8.5.3 | 1095 | Content-Encoding | standard | Section 6.2.2 | 1096 | Content-Language | standard | Section 6.2.3 | 1097 | Content-Length | standard | Section 6.2.4 | 1098 | Content-Location | standard | Section 6.2.5 | 1099 | Content-Range | standard | Section 6.3.3 | 1100 | Content-Type | standard | Section 6.2.1 | 1101 | Date | standard | Section 10.1.1.2 | 1102 | ETag | standard | Section 10.2.3 | 1103 | Expect | standard | Section 8.1.1 | 1104 | From | standard | Section 8.6.1 | 1105 | Host | standard | Section 5.4 | 1106 | If-Match | standard | Section 8.2.3 | 1107 | If-Modified-Since | standard | Section 8.2.5 | 1108 | If-None-Match | standard | Section 8.2.4 | 1109 | If-Range | standard | Section 8.2.7 | 1110 | If-Unmodified-Since | standard | Section 8.2.6 | 1111 | Last-Modified | standard | Section 10.2.2 | 1112 | Location | standard | Section 10.1.2 | 1113 | Max-Forwards | standard | Section 8.1.2 | 1114 | Proxy-Authenticate | standard | Section 10.3.2 | 1115 | Proxy-Authentication-Info | standard | Section 10.3.4 | 1116 | Proxy-Authorization | standard | Section 8.5.4 | 1117 | Range | standard | Section 8.3 | 1118 | Referer | standard | Section 8.6.2 | 1119 | Retry-After | standard | Section 10.1.3 | 1120 | Server | standard | Section 10.4.3 | 1121 | Trailer | standard | Section 4.4 | 1122 | User-Agent | standard | Section 8.6.3 | 1123 | Vary | standard | Section 10.1.4 | 1124 | Via | standard | Section 5.5.1 | 1125 | WWW-Authenticate | standard | Section 10.3.1 | 1126 +---------------------------+------------+-------------------+ 1128 Table 1 1130 4.1.1. Header Field Name Registry 1132 The "Hypertext Transfer Protocol (HTTP) Header Field Registry" 1133 defines the namespace for HTTP header field names. 1135 Any party can request registration of a HTTP header field. See 1136 Section 4.1.3 for considerations to take into account when creating a 1137 new HTTP header field. 1139 The "HTTP Header Field Name" registry is located at 1140 "https://www.iana.org/assignments/http-headers/". Registration 1141 requests can be made by following the instructions located there or 1142 by sending an email to the "ietf-http-wg@ietf.org" mailing list. 1144 Header field names are registered on the advice of a Designated 1145 Expert (appointed by the IESG or their delegate). Header fields with 1146 the status 'permanent' are Specification Required (using terminology 1147 from [RFC8126]). 1149 Registration requests consist of at least the following information: 1151 o Header field name: The requested field name. It MUST conform to 1152 the field-name syntax defined in Section 4.1, and SHOULD be 1153 restricted to just letters, digits, hyphen ('-') and underscore 1154 ('_') characters, with the first character being a letter. 1156 o Status: "permanent" or "provisional" 1158 o Specification document(s): Reference to the document that 1159 specifies the header field, preferably including a URI that can be 1160 used to retrieve a copy of the document. An indication of the 1161 relevant section(s) can also be included, but is not required. 1163 The Expert(s) can define additional fields to be collected in the 1164 registry, in consultation with the community. 1166 Standards-defined names have a status of "permanent". Other names 1167 can also be registered as permanent, if the Expert(s) find that they 1168 are in use, in consultation with the community. Other names should 1169 be registered as "provisional". 1171 Provisional entries can be removed by the Expert(s) if -- in 1172 consultation with the community -- the Expert(s) find that they are 1173 not in use. The Experts can change a provisional entry's status to 1174 permanent at any time. 1176 Note that names can be registered by third parties (including the 1177 Expert(s)), if the Expert(s) determines that an unregistered name is 1178 widely deployed and not likely to be registered in a timely manner 1179 otherwise. 1181 4.1.2. Header Field Extensibility 1183 Header fields are fully extensible: there is no limit on the 1184 introduction of new field names, each presumably defining new 1185 semantics, nor on the number of header fields used in a given 1186 message. Existing fields are defined in each part of this 1187 specification and in many other specifications outside this document 1188 set. 1190 New header fields can be defined such that, when they are understood 1191 by a recipient, they might override or enhance the interpretation of 1192 previously defined header fields, define preconditions on request 1193 evaluation, or refine the meaning of responses. 1195 A proxy MUST forward unrecognized header fields unless the field-name 1196 is listed in the Connection header field (Section 9.1 of [Messaging]) 1197 or the proxy is specifically configured to block, or otherwise 1198 transform, such fields. Other recipients SHOULD ignore unrecognized 1199 header fields. These requirements allow HTTP's functionality to be 1200 enhanced without requiring prior update of deployed intermediaries. 1202 All defined header fields ought to be registered with IANA in the 1203 "HTTP Header Field Name" registry. 1205 4.1.3. Considerations for New Header Fields 1207 Authors of specifications defining new fields are advised to keep the 1208 name as short as practical and not to prefix the name with "X-" 1209 unless the header field will never be used on the Internet. (The 1210 "X-" prefix idiom has been extensively misused in practice; it was 1211 intended to only be used as a mechanism for avoiding name collisions 1212 inside proprietary software or intranet processing, since the prefix 1213 would ensure that private names never collide with a newly registered 1214 Internet name; see [BCP178] for further information). 1216 Authors of specifications defining new header fields are advised to 1217 consider documenting: 1219 o Whether the field is a single value or whether it can be a list 1220 (delimited by commas; see Section 5 of [Messaging]). 1222 If it does not use the list syntax, document how to treat messages 1223 where the field occurs multiple times (a sensible default would be 1224 to ignore the field, but this might not always be the right 1225 choice). 1227 Note that intermediaries and software libraries might combine 1228 multiple header field instances into a single one, despite the 1229 field's definition not allowing the list syntax. A robust format 1230 enables recipients to discover these situations (good example: 1231 "Content-Type", as the comma can only appear inside quoted 1232 strings; bad example: "Location", as a comma can occur inside a 1233 URI). 1235 o Under what conditions the header field can be used; e.g., only in 1236 responses or requests, in all messages, only on responses to a 1237 particular request method, etc. 1239 o Whether the field should be stored by origin servers that 1240 understand it upon a PUT request. 1242 o Whether the field semantics are further refined by the context, 1243 such as by existing request methods or status codes. 1245 o Whether it is appropriate to list the field-name in the Connection 1246 header field (i.e., if the header field is to be hop-by-hop; see 1247 Section 9.1 of [Messaging]). 1249 o Under what conditions intermediaries are allowed to insert, 1250 delete, or modify the field's value. 1252 o Whether it is appropriate to list the field-name in a Vary 1253 response header field (e.g., when the request header field is used 1254 by an origin server's content selection algorithm; see 1255 Section 10.1.4). 1257 o Whether the header field is useful or allowable in trailers (see 1258 Section 7.1 of [Messaging]). 1260 o Whether the header field ought to be preserved across redirects. 1262 o Whether it introduces any additional security considerations, such 1263 as disclosure of privacy-related data. 1265 4.2. Header Field Values 1267 This specification does not use ABNF rules to define each "Field- 1268 Name: Field Value" pair, as was done in earlier editions. Instead, 1269 this specification uses ABNF rules that are named according to each 1270 registered field name, wherein the rule defines the valid grammar for 1271 that field's corresponding field values (i.e., after the field-value 1272 has been extracted by a generic field parser). 1274 field-value = *( field-content / obs-fold ) 1275 field-content = field-vchar 1276 [ 1*( SP / HTAB / field-vchar ) field-vchar ] 1277 field-vchar = VCHAR / obs-text 1279 Historically, HTTP header field values could be extended over 1280 multiple lines by preceding each extra line with at least one space 1281 or horizontal tab (obs-fold). [[CREF1: This document assumes that 1282 any such obs-fold has been replaced with one or more SP octets prior 1283 to interpreting the field value, as described in Section 5.2 of 1284 [Messaging].]] 1286 Historically, HTTP has allowed field content with text in the 1287 ISO-8859-1 charset [ISO-8859-1], supporting other charsets only 1288 through use of [RFC2047] encoding. In practice, most HTTP header 1289 field values use only a subset of the US-ASCII charset [USASCII]. 1290 Newly defined header fields SHOULD limit their field values to 1291 US-ASCII octets. A recipient SHOULD treat other octets in field 1292 content (obs-text) as opaque data. 1294 4.2.1. Header Field Order 1296 The order in which header fields with differing field names are 1297 received is not significant. However, it is good practice to send 1298 header fields that contain control data first, such as Host on 1299 requests and Date on responses, so that implementations can decide 1300 when not to handle a message as early as possible. A server MUST NOT 1301 apply a request to the target resource until the entire request 1302 header section is received, since later header fields might include 1303 conditionals, authentication credentials, or deliberately misleading 1304 duplicate header fields that would impact request processing. 1306 Aside from the well-known exception noted below, a sender MUST NOT 1307 generate multiple header fields with the same field name in a 1308 message, or append a header field when a field of the same name 1309 already exists in the message, unless that field's definition allows 1310 multiple field values to be recombined as a comma-separated list 1311 [i.e., at least one alternative of the field's definition allows a 1312 comma-separated list, such as an ABNF rule of #(values)]. 1314 A recipient MAY combine multiple header fields with the same field 1315 name into one "field-name: field-value" pair, without changing the 1316 semantics of the message, by appending each subsequent field value to 1317 the combined field value in order, separated by a comma. The order 1318 in which header fields with the same field name are received is 1319 therefore significant to the interpretation of the combined field 1320 value; a proxy MUST NOT change the order of these field values when 1321 forwarding a message. 1323 Note: In practice, the "Set-Cookie" header field ([RFC6265]) often 1324 appears multiple times in a response message and does not use the 1325 list syntax, violating the above requirements on multiple header 1326 fields with the same name. Since it cannot be combined into a 1327 single field-value, recipients ought to handle "Set-Cookie" as a 1328 special case while processing header fields. (See Appendix A.2.3 1329 of [Kri2001] for details.) 1331 4.2.2. Header Field Limits 1333 HTTP does not place a predefined limit on the length of each header 1334 field or on the length of the header section as a whole, as described 1335 in Section 3. Various ad hoc limitations on individual header field 1336 length are found in practice, often depending on the specific field 1337 semantics. 1339 A server that receives a request header field, or set of fields, 1340 larger than it wishes to process MUST respond with an appropriate 4xx 1341 (Client Error) status code. Ignoring such header fields would 1342 increase the server's vulnerability to request smuggling attacks 1343 (Section 11.2 of [Messaging]). 1345 A client MAY discard or truncate received header fields that are 1346 larger than the client wishes to process if the field semantics are 1347 such that the dropped value(s) can be safely ignored without changing 1348 the message framing or response semantics. 1350 4.2.3. Header Field Value Components 1352 Many HTTP header field values are defined using common syntax 1353 components, separated by whitespace or specific delimiting 1354 characters. Delimiters are chosen from the set of US-ASCII visual 1355 characters not allowed in a token (DQUOTE and "(),/:;<=>?@[\]{}"). 1357 4.2.3.1. Tokens 1359 Tokens are short textual identifiers that do not include whitespace 1360 or delimiters. 1362 token = 1*tchar 1364 tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" 1365 / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" 1366 / DIGIT / ALPHA 1367 ; any VCHAR, except delimiters 1369 4.2.3.2. Quoted Strings 1371 A string of text is parsed as a single value if it is quoted using 1372 double-quote marks. 1374 quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE 1375 qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text 1376 obs-text = %x80-FF 1378 The backslash octet ("\") can be used as a single-octet quoting 1379 mechanism within quoted-string and comment constructs. Recipients 1380 that process the value of a quoted-string MUST handle a quoted-pair 1381 as if it were replaced by the octet following the backslash. 1383 quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) 1385 A sender SHOULD NOT generate a quoted-pair in a quoted-string except 1386 where necessary to quote DQUOTE and backslash octets occurring within 1387 that string. A sender SHOULD NOT generate a quoted-pair in a comment 1388 except where necessary to quote parentheses ["(" and ")"] and 1389 backslash octets occurring within that comment. 1391 4.2.3.3. Comments 1393 Comments can be included in some HTTP header fields by surrounding 1394 the comment text with parentheses. Comments are only allowed in 1395 fields containing "comment" as part of their field value definition. 1397 comment = "(" *( ctext / quoted-pair / comment ) ")" 1398 ctext = HTAB / SP / %x21-27 / %x2A-5B / %x5D-7E / obs-text 1400 4.2.3.4. Parameters 1402 A parameter is a name=value pair that is often defined within header 1403 field values as a common syntax for appending auxiliary information 1404 to an item. Each parameter is usually delimited by an immediately 1405 preceding semicolon. 1407 parameter = parameter-name "=" parameter-value 1408 parameter-name = token 1409 parameter-value = ( token / quoted-string ) 1411 Parameter names are case-insensitive. Parameter values might or 1412 might not be case-sensitive, depending on the semantics of the 1413 parameter name. Examples of parameters and some equivalent forms can 1414 be seen in media types (Section 6.1.1) and the Accept header field 1415 (Section 8.4.2). 1417 A parameter value that matches the token production can be 1418 transmitted either as a token or within a quoted-string. The quoted 1419 and unquoted values are equivalent. 1421 Note: Parameters do not allow whitespace (not even "bad" 1422 whitespace) around the "=" character. 1424 4.2.4. Designing New Header Field Values 1426 New header field values typically have their syntax defined using 1427 ABNF ([RFC5234]), using the extension defined in Section 11 as 1428 necessary, and are usually constrained to the range of US-ASCII 1429 characters. Header fields needing a greater range of characters can 1430 use an encoding such as the one defined in [RFC8187]. 1432 Leading and trailing whitespace in raw field values is removed upon 1433 field parsing (Section 5.1 of [Messaging]). Field definitions where 1434 leading or trailing whitespace in values is significant will have to 1435 use a container syntax such as quoted-string (Section 4.2.3). 1437 Because commas (",") are used as a generic delimiter between field- 1438 values, they need to be treated with care if they are allowed in the 1439 field-value. Typically, components that might contain a comma are 1440 protected with double-quotes using the quoted-string ABNF production. 1442 For example, a textual date and a URI (either of which might contain 1443 a comma) could be safely carried in field-values like these: 1445 Example-URI-Field: "http://example.com/a.html,foo", 1446 "http://without-a-comma.example.com/" 1447 Example-Date-Field: "Sat, 04 May 1996", "Wed, 14 Sep 2005" 1449 Note that double-quote delimiters almost always are used with the 1450 quoted-string production; using a different syntax inside double- 1451 quotes will likely cause unnecessary confusion. 1453 Many header fields (such as Content-Type, defined in Section 6.2.1) 1454 use a common syntax for parameters that allows both unquoted (token) 1455 and quoted (quoted-string) syntax for a parameter value 1456 (Section 4.2.3.4). Use of common syntax allows recipients to reuse 1457 existing parser components. When allowing both forms, the meaning of 1458 a parameter value ought to be the same whether it was received as a 1459 token or a quoted string. 1461 4.3. Whitespace 1463 This specification uses three rules to denote the use of linear 1464 whitespace: OWS (optional whitespace), RWS (required whitespace), and 1465 BWS ("bad" whitespace). 1467 The OWS rule is used where zero or more linear whitespace octets 1468 might appear. For protocol elements where optional whitespace is 1469 preferred to improve readability, a sender SHOULD generate the 1470 optional whitespace as a single SP; otherwise, a sender SHOULD NOT 1471 generate optional whitespace except as needed to white out invalid or 1472 unwanted protocol elements during in-place message filtering. 1474 The RWS rule is used when at least one linear whitespace octet is 1475 required to separate field tokens. A sender SHOULD generate RWS as a 1476 single SP. 1478 The BWS rule is used where the grammar allows optional whitespace 1479 only for historical reasons. A sender MUST NOT generate BWS in 1480 messages. A recipient MUST parse for such bad whitespace and remove 1481 it before interpreting the protocol element. 1483 OWS = *( SP / HTAB ) 1484 ; optional whitespace 1485 RWS = 1*( SP / HTAB ) 1486 ; required whitespace 1487 BWS = OWS 1488 ; "bad" whitespace 1490 4.4. Trailer 1492 [[CREF2: The "Trailer" header field in a message indicates fields 1493 that the sender anticipates sending after the message header block 1494 (i.e., during or after the payload is sent). This is typically used 1495 to supply metadata that might be dynamically generated while the data 1496 is sent, such as a message integrity check, digital signature, or 1497 post-processing status. ]] 1499 Trailer = 1#field-name 1501 [[CREF3: How, where, and when trailer fields might be sent depends on 1502 both the protocol in use (HTTP version and/or transfer coding) and 1503 the semantics of each named header field. Many header fields cannot 1504 be processed outside the header section because their evaluation is 1505 necessary for message routing, authentication, or configuration prior 1506 to receiving the representation data. ]] 1508 5. Message Routing 1510 HTTP request message routing is determined by each client based on 1511 the target resource, the client's proxy configuration, and 1512 establishment or reuse of an inbound connection. The corresponding 1513 response routing follows the same connection chain back to the 1514 client. 1516 5.1. Identifying a Target Resource 1518 HTTP is used in a wide variety of applications, ranging from general- 1519 purpose computers to home appliances. In some cases, communication 1520 options are hard-coded in a client's configuration. However, most 1521 HTTP clients rely on the same resource identification mechanism and 1522 configuration techniques as general-purpose Web browsers. 1524 HTTP communication is initiated by a user agent for some purpose. 1525 The purpose is a combination of request semantics and a target 1526 resource upon which to apply those semantics. A URI reference 1527 (Section 2.4) is typically used as an identifier for the "target 1528 resource", which a user agent would resolve to its absolute form in 1529 order to obtain the "target URI". The target URI excludes the 1530 reference's fragment component, if any, since fragment identifiers 1531 are reserved for client-side processing ([RFC3986], Section 3.5). 1533 5.2. Routing Inbound 1535 Once the target URI is determined, a client needs to decide whether a 1536 network request is necessary to accomplish the desired semantics and, 1537 if so, where that request is to be directed. 1539 If the client has a cache [Caching] and the request can be satisfied 1540 by it, then the request is usually directed there first. 1542 If the request is not satisfied by a cache, then a typical client 1543 will check its configuration to determine whether a proxy is to be 1544 used to satisfy the request. Proxy configuration is implementation- 1545 dependent, but is often based on URI prefix matching, selective 1546 authority matching, or both, and the proxy itself is usually 1547 identified by an "http" or "https" URI. If a proxy is applicable, 1548 the client connects inbound by establishing (or reusing) a connection 1549 to that proxy. 1551 If no proxy is applicable, a typical client will invoke a handler 1552 routine, usually specific to the target URI's scheme, to connect 1553 directly to an authority for the target resource. How that is 1554 accomplished is dependent on the target URI scheme and defined by its 1555 associated specification, similar to how this specification defines 1556 origin server access for resolution of the "http" (Section 2.5.1) and 1557 "https" (Section 2.5.2) schemes. 1559 HTTP requirements regarding connection management are defined in 1560 Section 9 of [Messaging]. 1562 5.3. Effective Request URI 1564 Once an inbound connection is obtained, the client sends an HTTP 1565 request message (Section 2 of [Messaging]). 1567 Depending on the nature of the request, the client's target URI might 1568 be split into components and transmitted (or implied) within various 1569 parts of a request message. These parts are recombined by each 1570 recipient, in accordance with their local configuration and incoming 1571 connection context, to form an "effective request URI" for 1572 identifying the intended target resource with respect to that server. 1573 Section 3.3 of [Messaging] defines how a server determines the 1574 effective request URI for an HTTP/1.1 request. 1576 For a user agent, the effective request URI is the target URI. 1578 Once the effective request URI has been constructed, an origin server 1579 needs to decide whether or not to provide service for that URI via 1580 the connection in which the request was received. For example, the 1581 request might have been misdirected, deliberately or accidentally, 1582 such that the information within a received request-target or Host 1583 header field differs from the host or port upon which the connection 1584 has been made. If the connection is from a trusted gateway, that 1585 inconsistency might be expected; otherwise, it might indicate an 1586 attempt to bypass security filters, trick the server into delivering 1587 non-public content, or poison a cache. See Section 12 for security 1588 considerations regarding message routing. 1590 5.4. Host 1592 The "Host" header field in a request provides the host and port 1593 information from the target URI, enabling the origin server to 1594 distinguish among resources while servicing requests for multiple 1595 host names on a single IP address. 1597 Host = uri-host [ ":" port ] ; Section 2.4 1599 A client MUST send a Host header field in all HTTP/1.1 request 1600 messages. If the target URI includes an authority component, then a 1601 client MUST send a field-value for Host that is identical to that 1602 authority component, excluding any userinfo subcomponent and its "@" 1603 delimiter (Section 2.5.1). If the authority component is missing or 1604 undefined for the target URI, then a client MUST send a Host header 1605 field with an empty field-value. 1607 Since the Host field-value is critical information for handling a 1608 request, a user agent SHOULD generate Host as the first header field 1609 following the request-line. 1611 For example, a GET request to the origin server for 1612 would begin with: 1614 GET /pub/WWW/ HTTP/1.1 1615 Host: www.example.org 1617 A client MUST send a Host header field in an HTTP/1.1 request even if 1618 the request-target is in the absolute-form, since this allows the 1619 Host information to be forwarded through ancient HTTP/1.0 proxies 1620 that might not have implemented Host. 1622 When a proxy receives a request with an absolute-form of request- 1623 target, the proxy MUST ignore the received Host header field (if any) 1624 and instead replace it with the host information of the request- 1625 target. A proxy that forwards such a request MUST generate a new 1626 Host field-value based on the received request-target rather than 1627 forward the received Host field-value. 1629 Since the Host header field acts as an application-level routing 1630 mechanism, it is a frequent target for malware seeking to poison a 1631 shared cache or redirect a request to an unintended server. An 1632 interception proxy is particularly vulnerable if it relies on the 1633 Host field-value for redirecting requests to internal servers, or for 1634 use as a cache key in a shared cache, without first verifying that 1635 the intercepted connection is targeting a valid IP address for that 1636 host. 1638 A server MUST respond with a 400 (Bad Request) status code to any 1639 HTTP/1.1 request message that lacks a Host header field and to any 1640 request message that contains more than one Host header field or a 1641 Host header field with an invalid field-value. 1643 5.5. Message Forwarding 1645 As described in Section 2.2, intermediaries can serve a variety of 1646 roles in the processing of HTTP requests and responses. Some 1647 intermediaries are used to improve performance or availability. 1648 Others are used for access control or to filter content. Since an 1649 HTTP stream has characteristics similar to a pipe-and-filter 1650 architecture, there are no inherent limits to the extent an 1651 intermediary can enhance (or interfere) with either direction of the 1652 stream. 1654 An intermediary not acting as a tunnel MUST implement the Connection 1655 header field, as specified in Section 9.1 of [Messaging], and exclude 1656 fields from being forwarded that are only intended for the incoming 1657 connection. 1659 An intermediary MUST NOT forward a message to itself unless it is 1660 protected from an infinite request loop. In general, an intermediary 1661 ought to recognize its own server names, including any aliases, local 1662 variations, or literal IP addresses, and respond to such requests 1663 directly. 1665 An HTTP message can be parsed as a stream for incremental processing 1666 or forwarding downstream. However, recipients cannot rely on 1667 incremental delivery of partial messages, since some implementations 1668 will buffer or delay message forwarding for the sake of network 1669 efficiency, security checks, or payload transformations. 1671 5.5.1. Via 1673 The "Via" header field indicates the presence of intermediate 1674 protocols and recipients between the user agent and the server (on 1675 requests) or between the origin server and the client (on responses), 1676 similar to the "Received" header field in email (Section 3.6.7 of 1677 [RFC5322]). Via can be used for tracking message forwards, avoiding 1678 request loops, and identifying the protocol capabilities of senders 1679 along the request/response chain. 1681 Via = 1#( received-protocol RWS received-by [ RWS comment ] ) 1683 received-protocol = [ protocol-name "/" ] protocol-version 1684 ; see [Messaging], Section 9.8 1685 received-by = ( uri-host [ ":" port ] ) / pseudonym 1686 pseudonym = token 1688 Multiple Via field values represent each proxy or gateway that has 1689 forwarded the message. Each intermediary appends its own information 1690 about how the message was received, such that the end result is 1691 ordered according to the sequence of forwarding recipients. 1693 A proxy MUST send an appropriate Via header field, as described 1694 below, in each message that it forwards. An HTTP-to-HTTP gateway 1695 MUST send an appropriate Via header field in each inbound request 1696 message and MAY send a Via header field in forwarded response 1697 messages. 1699 For each intermediary, the received-protocol indicates the protocol 1700 and protocol version used by the upstream sender of the message. 1701 Hence, the Via field value records the advertised protocol 1702 capabilities of the request/response chain such that they remain 1703 visible to downstream recipients; this can be useful for determining 1704 what backwards-incompatible features might be safe to use in 1705 response, or within a later request, as described in Section 3.5. 1706 For brevity, the protocol-name is omitted when the received protocol 1707 is HTTP. 1709 The received-by portion of the field value is normally the host and 1710 optional port number of a recipient server or client that 1711 subsequently forwarded the message. However, if the real host is 1712 considered to be sensitive information, a sender MAY replace it with 1713 a pseudonym. If a port is not provided, a recipient MAY interpret 1714 that as meaning it was received on the default TCP port, if any, for 1715 the received-protocol. 1717 A sender MAY generate comments in the Via header field to identify 1718 the software of each recipient, analogous to the User-Agent and 1719 Server header fields. However, all comments in the Via field are 1720 optional, and a recipient MAY remove them prior to forwarding the 1721 message. 1723 For example, a request message could be sent from an HTTP/1.0 user 1724 agent to an internal proxy code-named "fred", which uses HTTP/1.1 to 1725 forward the request to a public proxy at p.example.net, which 1726 completes the request by forwarding it to the origin server at 1727 www.example.com. The request received by www.example.com would then 1728 have the following Via header field: 1730 Via: 1.0 fred, 1.1 p.example.net 1732 An intermediary used as a portal through a network firewall SHOULD 1733 NOT forward the names and ports of hosts within the firewall region 1734 unless it is explicitly enabled to do so. If not enabled, such an 1735 intermediary SHOULD replace each received-by host of any host behind 1736 the firewall by an appropriate pseudonym for that host. 1738 An intermediary MAY combine an ordered subsequence of Via header 1739 field entries into a single such entry if the entries have identical 1740 received-protocol values. For example, 1742 Via: 1.0 ricky, 1.1 ethel, 1.1 fred, 1.0 lucy 1744 could be collapsed to 1746 Via: 1.0 ricky, 1.1 mertz, 1.0 lucy 1748 A sender SHOULD NOT combine multiple entries unless they are all 1749 under the same organizational control and the hosts have already been 1750 replaced by pseudonyms. A sender MUST NOT combine entries that have 1751 different received-protocol values. 1753 5.5.2. Transformations 1755 Some intermediaries include features for transforming messages and 1756 their payloads. A proxy might, for example, convert between image 1757 formats in order to save cache space or to reduce the amount of 1758 traffic on a slow link. However, operational problems might occur 1759 when these transformations are applied to payloads intended for 1760 critical applications, such as medical imaging or scientific data 1761 analysis, particularly when integrity checks or digital signatures 1762 are used to ensure that the payload received is identical to the 1763 original. 1765 An HTTP-to-HTTP proxy is called a "transforming proxy" if it is 1766 designed or configured to modify messages in a semantically 1767 meaningful way (i.e., modifications, beyond those required by normal 1768 HTTP processing, that change the message in a way that would be 1769 significant to the original sender or potentially significant to 1770 downstream recipients). For example, a transforming proxy might be 1771 acting as a shared annotation server (modifying responses to include 1772 references to a local annotation database), a malware filter, a 1773 format transcoder, or a privacy filter. Such transformations are 1774 presumed to be desired by whichever client (or client organization) 1775 selected the proxy. 1777 If a proxy receives a request-target with a host name that is not a 1778 fully qualified domain name, it MAY add its own domain to the host 1779 name it received when forwarding the request. A proxy MUST NOT 1780 change the host name if the request-target contains a fully qualified 1781 domain name. 1783 A proxy MUST NOT modify the "absolute-path" and "query" parts of the 1784 received request-target when forwarding it to the next inbound 1785 server, except as noted above to replace an empty path with "/" or 1786 "*". 1788 A proxy MAY modify the message body through application or removal of 1789 a transfer coding (Section 7 of [Messaging]). 1791 A proxy MUST NOT transform the payload (Section 6.3) of a message 1792 that contains a no-transform cache-control response directive 1793 (Section 5.2 of [Caching]). 1795 A proxy MAY transform the payload of a message that does not contain 1796 a no-transform cache-control directive. A proxy that transforms the 1797 payload of a 200 (OK) response can inform downstream recipients that 1798 a transformation has been applied by changing the response status 1799 code to 203 (Non-Authoritative Information) (Section 9.3.4). 1801 A proxy SHOULD NOT modify header fields that provide information 1802 about the endpoints of the communication chain, the resource state, 1803 or the selected representation (other than the payload) unless the 1804 field's definition specifically allows such modification or the 1805 modification is deemed necessary for privacy or security. 1807 6. Representations 1809 Considering that a resource could be anything, and that the uniform 1810 interface provided by HTTP is similar to a window through which one 1811 can observe and act upon such a thing only through the communication 1812 of messages to some independent actor on the other side, an 1813 abstraction is needed to represent ("take the place of") the current 1814 or desired state of that thing in our communications. That 1815 abstraction is called a representation [REST]. 1817 For the purposes of HTTP, a "representation" is information that is 1818 intended to reflect a past, current, or desired state of a given 1819 resource, in a format that can be readily communicated via the 1820 protocol, and that consists of a set of representation metadata and a 1821 potentially unbounded stream of representation data. 1823 An origin server might be provided with, or be capable of generating, 1824 multiple representations that are each intended to reflect the 1825 current state of a target resource. In such cases, some algorithm is 1826 used by the origin server to select one of those representations as 1827 most applicable to a given request, usually based on content 1828 negotiation. This "selected representation" is used to provide the 1829 data and metadata for evaluating conditional requests (Section 8.2) 1830 and constructing the payload for 200 (OK) and 304 (Not Modified) 1831 responses to GET (Section 7.3.1). 1833 6.1. Representation Data 1835 The representation data associated with an HTTP message is either 1836 provided as the payload body of the message or referred to by the 1837 message semantics and the effective request URI. The representation 1838 data is in a format and encoding defined by the representation 1839 metadata header fields. 1841 The data type of the representation data is determined via the header 1842 fields Content-Type and Content-Encoding. These define a two-layer, 1843 ordered encoding model: 1845 representation-data := Content-Encoding( Content-Type( bits ) ) 1847 6.1.1. Media Type 1849 HTTP uses media types [RFC2046] in the Content-Type (Section 6.2.1) 1850 and Accept (Section 8.4.2) header fields in order to provide open and 1851 extensible data typing and type negotiation. Media types define both 1852 a data format and various processing models: how to process that data 1853 in accordance with each context in which it is received. 1855 media-type = type "/" subtype *( OWS ";" OWS parameter ) 1856 type = token 1857 subtype = token 1859 The type and subtype tokens are case-insensitive. 1861 The type/subtype MAY be followed by semicolon-delimited parameters 1862 (Section 4.2.3.4) in the form of name=value pairs. The presence or 1863 absence of a parameter might be significant to the processing of a 1864 media type, depending on its definition within the media type 1865 registry. Parameter values might or might not be case-sensitive, 1866 depending on the semantics of the parameter name. 1868 For example, the following media types are equivalent in describing 1869 HTML text data encoded in the UTF-8 character encoding scheme, but 1870 the first is preferred for consistency (the "charset" parameter value 1871 is defined as being case-insensitive in [RFC2046], Section 4.1.2): 1873 text/html;charset=utf-8 1874 Text/HTML;Charset="utf-8" 1875 text/html; charset="utf-8" 1876 text/html;charset=UTF-8 1878 Media types ought to be registered with IANA according to the 1879 procedures defined in [BCP13]. 1881 6.1.1.1. Charset 1883 HTTP uses charset names to indicate or negotiate the character 1884 encoding scheme of a textual representation [RFC6365]. A charset is 1885 identified by a case-insensitive token. 1887 charset = token 1889 Charset names ought to be registered in the IANA "Character Sets" 1890 registry () 1891 according to the procedures defined in Section 2 of [RFC2978]. 1893 Note: In theory, charset names are defined by the "mime-charset" 1894 ABNF rule defined in Section 2.3 of [RFC2978] (as corrected in 1895 [Err1912]). That rule allows two characters that are not included 1896 in "token" ("{" and "}"), but no charset name registered at the 1897 time of this writing includes braces (see [Err5433]). 1899 6.1.1.2. Canonicalization and Text Defaults 1901 Media types are registered with a canonical form in order to be 1902 interoperable among systems with varying native encoding formats. 1903 Representations selected or transferred via HTTP ought to be in 1904 canonical form, for many of the same reasons described by the 1905 Multipurpose Internet Mail Extensions (MIME) [RFC2045]. However, the 1906 performance characteristics of email deployments (i.e., store and 1907 forward messages to peers) are significantly different from those 1908 common to HTTP and the Web (server-based information services). 1909 Furthermore, MIME's constraints for the sake of compatibility with 1910 older mail transfer protocols do not apply to HTTP (see Appendix B of 1911 [Messaging]). 1913 MIME's canonical form requires that media subtypes of the "text" type 1914 use CRLF as the text line break. HTTP allows the transfer of text 1915 media with plain CR or LF alone representing a line break, when such 1916 line breaks are consistent for an entire representation. An HTTP 1917 sender MAY generate, and a recipient MUST be able to parse, line 1918 breaks in text media that consist of CRLF, bare CR, or bare LF. In 1919 addition, text media in HTTP is not limited to charsets that use 1920 octets 13 and 10 for CR and LF, respectively. This flexibility 1921 regarding line breaks applies only to text within a representation 1922 that has been assigned a "text" media type; it does not apply to 1923 "multipart" types or HTTP elements outside the payload body (e.g., 1924 header fields). 1926 If a representation is encoded with a content-coding, the underlying 1927 data ought to be in a form defined above prior to being encoded. 1929 6.1.1.3. Multipart Types 1931 MIME provides for a number of "multipart" types -- encapsulations of 1932 one or more representations within a single message body. All 1933 multipart types share a common syntax, as defined in Section 5.1.1 of 1934 [RFC2046], and include a boundary parameter as part of the media type 1935 value. The message body is itself a protocol element; a sender MUST 1936 generate only CRLF to represent line breaks between body parts. 1938 HTTP message framing does not use the multipart boundary as an 1939 indicator of message body length, though it might be used by 1940 implementations that generate or process the payload. For example, 1941 the "multipart/form-data" type is often used for carrying form data 1942 in a request, as described in [RFC7578], and the "multipart/ 1943 byteranges" type is defined by this specification for use in some 206 1944 (Partial Content) responses (see Section 9.3.7). 1946 6.1.2. Content Codings 1948 Content coding values indicate an encoding transformation that has 1949 been or can be applied to a representation. Content codings are 1950 primarily used to allow a representation to be compressed or 1951 otherwise usefully transformed without losing the identity of its 1952 underlying media type and without loss of information. Frequently, 1953 the representation is stored in coded form, transmitted directly, and 1954 only decoded by the final recipient. 1956 content-coding = token 1958 Content-coding values are used in the Accept-Encoding (Section 8.4.4) 1959 and Content-Encoding (Section 6.2.2) header fields. 1961 The following content-coding values are defined by this 1962 specification: 1964 +------------+------------------------------------------+-----------+ 1965 | Name | Description | Reference | 1966 +------------+------------------------------------------+-----------+ 1967 | compress | UNIX "compress" data format [Welch] | Section | 1968 | | | 6.1.2.1 | 1969 | deflate | "deflate" compressed data ([RFC1951]) | Section | 1970 | | inside the "zlib" data format | 6.1.2.2 | 1971 | | ([RFC1950]) | | 1972 | gzip | GZIP file format [RFC1952] | Section | 1973 | | | 6.1.2.3 | 1974 | identity | Reserved (synonym for "no encoding" in | Section | 1975 | | Accept-Encoding) | 8.4.4 | 1976 | x-compress | Deprecated (alias for compress) | Section | 1977 | | | 6.1.2.1 | 1978 | x-gzip | Deprecated (alias for gzip) | Section | 1979 | | | 6.1.2.3 | 1980 +------------+------------------------------------------+-----------+ 1982 Table 2 1984 6.1.2.1. Compress Coding 1986 The "compress" coding is an adaptive Lempel-Ziv-Welch (LZW) coding 1987 [Welch] that is commonly produced by the UNIX file compression 1988 program "compress". A recipient SHOULD consider "x-compress" to be 1989 equivalent to "compress". 1991 6.1.2.2. Deflate Coding 1993 The "deflate" coding is a "zlib" data format [RFC1950] containing a 1994 "deflate" compressed data stream [RFC1951] that uses a combination of 1995 the Lempel-Ziv (LZ77) compression algorithm and Huffman coding. 1997 Note: Some non-conformant implementations send the "deflate" 1998 compressed data without the zlib wrapper. 2000 6.1.2.3. Gzip Coding 2002 The "gzip" coding is an LZ77 coding with a 32-bit Cyclic Redundancy 2003 Check (CRC) that is commonly produced by the gzip file compression 2004 program [RFC1952]. A recipient SHOULD consider "x-gzip" to be 2005 equivalent to "gzip". 2007 6.1.2.4. Content Coding Extensibility 2009 Additional content codings, outside the scope of this specification, 2010 have been specified for use in HTTP. All such content codings ought 2011 to be registered within the "HTTP Content Coding Registry". 2013 6.1.2.4.1. Content Coding Registry 2015 The "HTTP Content Coding Registry", maintained by IANA at 2016 , registers 2017 content-coding names. 2019 Content coding registrations MUST include the following fields: 2021 o Name 2023 o Description 2025 o Pointer to specification text 2027 Names of content codings MUST NOT overlap with names of transfer 2028 codings (Section 7 of [Messaging]), unless the encoding 2029 transformation is identical (as is the case for the compression 2030 codings defined in Section 6.1.2). 2032 Values to be added to this namespace require IETF Review (see 2033 Section 4.8 of [RFC8126]) and MUST conform to the purpose of content 2034 coding defined in Section 6.1.2. 2036 6.1.3. Language Tags 2038 A language tag, as defined in [RFC5646], identifies a natural 2039 language spoken, written, or otherwise conveyed by human beings for 2040 communication of information to other human beings. Computer 2041 languages are explicitly excluded. 2043 HTTP uses language tags within the Accept-Language and Content- 2044 Language header fields. Accept-Language uses the broader language- 2045 range production defined in Section 8.4.5, whereas Content-Language 2046 uses the language-tag production defined below. 2048 language-tag = 2050 A language tag is a sequence of one or more case-insensitive subtags, 2051 each separated by a hyphen character ("-", %x2D). In most cases, a 2052 language tag consists of a primary language subtag that identifies a 2053 broad family of related languages (e.g., "en" = English), which is 2054 optionally followed by a series of subtags that refine or narrow that 2055 language's range (e.g., "en-CA" = the variety of English as 2056 communicated in Canada). Whitespace is not allowed within a language 2057 tag. Example tags include: 2059 fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN 2061 See [RFC5646] for further information. 2063 6.1.4. Range Units 2065 A representation can be partitioned into subranges according to 2066 various structural units, depending on the structure inherent in the 2067 representation's media type. This "range unit" is used in the 2068 Accept-Ranges (Section 10.4.1) response header field to advertise 2069 support for range requests, the Range (Section 8.3) request header 2070 field to delineate the parts of a representation that are requested, 2071 and the Content-Range (Section 6.3.3) payload header field to 2072 describe which part of a representation is being transferred. 2074 range-unit = bytes-unit / other-range-unit 2076 The following range unit names are defined by this document: 2078 +-------------+---------------------------------------+-------------+ 2079 | Range Unit | Description | Reference | 2080 | Name | | | 2081 +-------------+---------------------------------------+-------------+ 2082 | bytes | a range of octets | Section | 2083 | | | 6.1.4.1 | 2084 | none | reserved as keyword, indicating no | Section | 2085 | | ranges are supported | 10.4.1 | 2086 +-------------+---------------------------------------+-------------+ 2088 Table 3 2090 6.1.4.1. Byte Ranges 2092 Since representation data is transferred in payloads as a sequence of 2093 octets, a byte range is a meaningful substructure for any 2094 representation transferable over HTTP (Section 6). The "bytes" range 2095 unit is defined for expressing subranges of the data's octet 2096 sequence. 2098 bytes-unit = "bytes" 2100 A byte-range request can specify a single range of bytes or a set of 2101 ranges within a single representation. 2103 byte-ranges-specifier = bytes-unit "=" byte-range-set 2104 byte-range-set = 1#( byte-range-spec / suffix-byte-range-spec ) 2105 byte-range-spec = first-byte-pos "-" [ last-byte-pos ] 2106 first-byte-pos = 1*DIGIT 2107 last-byte-pos = 1*DIGIT 2109 The first-byte-pos value in a byte-range-spec gives the byte-offset 2110 of the first byte in a range. The last-byte-pos value gives the 2111 byte-offset of the last byte in the range; that is, the byte 2112 positions specified are inclusive. Byte offsets start at zero. 2114 Examples of byte-ranges-specifier values: 2116 o The first 500 bytes (byte offsets 0-499, inclusive): 2118 bytes=0-499 2120 o The second 500 bytes (byte offsets 500-999, inclusive): 2122 bytes=500-999 2124 A byte-range-spec is invalid if the last-byte-pos value is present 2125 and less than the first-byte-pos. 2127 A client can limit the number of bytes requested without knowing the 2128 size of the selected representation. If the last-byte-pos value is 2129 absent, or if the value is greater than or equal to the current 2130 length of the representation data, the byte range is interpreted as 2131 the remainder of the representation (i.e., the server replaces the 2132 value of last-byte-pos with a value that is one less than the current 2133 length of the selected representation). 2135 A client can request the last N bytes of the selected representation 2136 using a suffix-byte-range-spec. 2138 suffix-byte-range-spec = "-" suffix-length 2139 suffix-length = 1*DIGIT 2141 If the selected representation is shorter than the specified suffix- 2142 length, the entire representation is used. 2144 Additional examples, assuming a representation of length 10000: 2146 o The final 500 bytes (byte offsets 9500-9999, inclusive): 2148 bytes=-500 2150 Or: 2152 bytes=9500- 2154 o The first and last bytes only (bytes 0 and 9999): 2156 bytes=0-0,-1 2158 o Other valid (but not canonical) specifications of the second 500 2159 bytes (byte offsets 500-999, inclusive): 2161 bytes=500-600,601-999 2162 bytes=500-700,601-999 2164 If a valid byte-range-set includes at least one byte-range-spec with 2165 a first-byte-pos that is less than the current length of the 2166 representation, or at least one suffix-byte-range-spec with a non- 2167 zero suffix-length, then the byte-range-set is satisfiable. 2168 Otherwise, the byte-range-set is unsatisfiable. 2170 In the byte-range syntax, first-byte-pos, last-byte-pos, and suffix- 2171 length are expressed as decimal number of octets. Since there is no 2172 predefined limit to the length of a payload, recipients MUST 2173 anticipate potentially large decimal numerals and prevent parsing 2174 errors due to integer conversion overflows. 2176 6.1.4.2. Other Range Units 2178 Range units are intended to be extensible. New range units ought to 2179 be registered with IANA, as defined in Section 6.1.4.3. 2181 other-range-unit = token 2183 6.1.4.3. Range Unit Registry 2185 The "HTTP Range Unit Registry" defines the namespace for the range 2186 unit names and refers to their corresponding specifications. It is 2187 maintained at . 2189 Registration of an HTTP Range Unit MUST include the following fields: 2191 o Name 2193 o Description 2195 o Pointer to specification text 2197 Values to be added to this namespace require IETF Review (see 2198 [RFC8126], Section 4.8). 2200 6.2. Representation Metadata 2202 Representation header fields provide metadata about the 2203 representation. When a message includes a payload body, the 2204 representation header fields describe how to interpret the 2205 representation data enclosed in the payload body. In a response to a 2206 HEAD request, the representation header fields describe the 2207 representation data that would have been enclosed in the payload body 2208 if the same request had been a GET. 2210 The following header fields convey representation metadata: 2212 +-------------------+---------------+ 2213 | Header Field Name | Defined in... | 2214 +-------------------+---------------+ 2215 | Content-Type | Section 6.2.1 | 2216 | Content-Encoding | Section 6.2.2 | 2217 | Content-Language | Section 6.2.3 | 2218 | Content-Length | Section 6.2.4 | 2219 | Content-Location | Section 6.2.5 | 2220 +-------------------+---------------+ 2222 6.2.1. Content-Type 2224 The "Content-Type" header field indicates the media type of the 2225 associated representation: either the representation enclosed in the 2226 message payload or the selected representation, as determined by the 2227 message semantics. The indicated media type defines both the data 2228 format and how that data is intended to be processed by a recipient, 2229 within the scope of the received message semantics, after any content 2230 codings indicated by Content-Encoding are decoded. 2232 Content-Type = media-type 2234 Media types are defined in Section 6.1.1. An example of the field is 2236 Content-Type: text/html; charset=ISO-8859-4 2238 A sender that generates a message containing a payload body SHOULD 2239 generate a Content-Type header field in that message unless the 2240 intended media type of the enclosed representation is unknown to the 2241 sender. If a Content-Type header field is not present, the recipient 2242 MAY either assume a media type of "application/octet-stream" 2243 ([RFC2046], Section 4.5.1) or examine the data to determine its type. 2245 In practice, resource owners do not always properly configure their 2246 origin server to provide the correct Content-Type for a given 2247 representation. Some user agents examine a payload's content and, in 2248 certain cases, override the received type (for example, see 2249 [Sniffing]). This "MIME sniffing" risks drawing incorrect 2250 conclusions about the data, which might expose the user to additional 2251 security risks (e.g., "privilege escalation"). Furthermore, it is 2252 impossible to determine the sender's intended processing model by 2253 examining the data format: many data formats match multiple media 2254 types that differ only in processing semantics. Implementers are 2255 encouraged to provide a means to disable such sniffing. 2257 6.2.2. Content-Encoding 2259 The "Content-Encoding" header field indicates what content codings 2260 have been applied to the representation, beyond those inherent in the 2261 media type, and thus what decoding mechanisms have to be applied in 2262 order to obtain data in the media type referenced by the Content-Type 2263 header field. Content-Encoding is primarily used to allow a 2264 representation's data to be compressed without losing the identity of 2265 its underlying media type. 2267 Content-Encoding = 1#content-coding 2269 An example of its use is 2271 Content-Encoding: gzip 2273 If one or more encodings have been applied to a representation, the 2274 sender that applied the encodings MUST generate a Content-Encoding 2275 header field that lists the content codings in the order in which 2276 they were applied. Additional information about the encoding 2277 parameters can be provided by other header fields not defined by this 2278 specification. 2280 Unlike Transfer-Encoding (Section 6.1 of [Messaging]), the codings 2281 listed in Content-Encoding are a characteristic of the 2282 representation; the representation is defined in terms of the coded 2283 form, and all other metadata about the representation is about the 2284 coded form unless otherwise noted in the metadata definition. 2285 Typically, the representation is only decoded just prior to rendering 2286 or analogous usage. 2288 If the media type includes an inherent encoding, such as a data 2289 format that is always compressed, then that encoding would not be 2290 restated in Content-Encoding even if it happens to be the same 2291 algorithm as one of the content codings. Such a content coding would 2292 only be listed if, for some bizarre reason, it is applied a second 2293 time to form the representation. Likewise, an origin server might 2294 choose to publish the same data as multiple representations that 2295 differ only in whether the coding is defined as part of Content-Type 2296 or Content-Encoding, since some user agents will behave differently 2297 in their handling of each response (e.g., open a "Save as ..." dialog 2298 instead of automatic decompression and rendering of content). 2300 An origin server MAY respond with a status code of 415 (Unsupported 2301 Media Type) if a representation in the request message has a content 2302 coding that is not acceptable. 2304 6.2.3. Content-Language 2306 The "Content-Language" header field describes the natural language(s) 2307 of the intended audience for the representation. Note that this 2308 might not be equivalent to all the languages used within the 2309 representation. 2311 Content-Language = 1#language-tag 2313 Language tags are defined in Section 6.1.3. The primary purpose of 2314 Content-Language is to allow a user to identify and differentiate 2315 representations according to the users' own preferred language. 2316 Thus, if the content is intended only for a Danish-literate audience, 2317 the appropriate field is 2319 Content-Language: da 2321 If no Content-Language is specified, the default is that the content 2322 is intended for all language audiences. This might mean that the 2323 sender does not consider it to be specific to any natural language, 2324 or that the sender does not know for which language it is intended. 2326 Multiple languages MAY be listed for content that is intended for 2327 multiple audiences. For example, a rendition of the "Treaty of 2328 Waitangi", presented simultaneously in the original Maori and English 2329 versions, would call for 2331 Content-Language: mi, en 2333 However, just because multiple languages are present within a 2334 representation does not mean that it is intended for multiple 2335 linguistic audiences. An example would be a beginner's language 2336 primer, such as "A First Lesson in Latin", which is clearly intended 2337 to be used by an English-literate audience. In this case, the 2338 Content-Language would properly only include "en". 2340 Content-Language MAY be applied to any media type -- it is not 2341 limited to textual documents. 2343 6.2.4. Content-Length 2345 [[CREF4: The "Content-Length" header field indicates the number of 2346 data octets (body length) for the representation. In some cases, 2347 Content-Length is used to define or estimate message framing. ]] 2349 Content-Length = 1*DIGIT 2351 An example is 2352 Content-Length: 3495 2354 A sender MUST NOT send a Content-Length header field in any message 2355 that contains a Transfer-Encoding header field. 2357 A user agent SHOULD send a Content-Length in a request message when 2358 no Transfer-Encoding is sent and the request method defines a meaning 2359 for an enclosed payload body. For example, a Content-Length header 2360 field is normally sent in a POST request even when the value is 0 2361 (indicating an empty payload body). A user agent SHOULD NOT send a 2362 Content-Length header field when the request message does not contain 2363 a payload body and the method semantics do not anticipate such a 2364 body. 2366 A server MAY send a Content-Length header field in a response to a 2367 HEAD request (Section 7.3.2); a server MUST NOT send Content-Length 2368 in such a response unless its field-value equals the decimal number 2369 of octets that would have been sent in the payload body of a response 2370 if the same request had used the GET method. 2372 A server MAY send a Content-Length header field in a 304 (Not 2373 Modified) response to a conditional GET request (Section 9.4.5); a 2374 server MUST NOT send Content-Length in such a response unless its 2375 field-value equals the decimal number of octets that would have been 2376 sent in the payload body of a 200 (OK) response to the same request. 2378 A server MUST NOT send a Content-Length header field in any response 2379 with a status code of 1xx (Informational) or 204 (No Content). A 2380 server MUST NOT send a Content-Length header field in any 2xx 2381 (Successful) response to a CONNECT request (Section 7.3.6). 2383 Aside from the cases defined above, in the absence of Transfer- 2384 Encoding, an origin server SHOULD send a Content-Length header field 2385 when the payload body size is known prior to sending the complete 2386 header section. This will allow downstream recipients to measure 2387 transfer progress, know when a received message is complete, and 2388 potentially reuse the connection for additional requests. 2390 Any Content-Length field value greater than or equal to zero is 2391 valid. Since there is no predefined limit to the length of a 2392 payload, a recipient MUST anticipate potentially large decimal 2393 numerals and prevent parsing errors due to integer conversion 2394 overflows (Section 12.5). 2396 If a message is received that has multiple Content-Length header 2397 fields with field-values consisting of the same decimal value, or a 2398 single Content-Length header field with a field value containing a 2399 list of identical decimal values (e.g., "Content-Length: 42, 42"), 2400 indicating that duplicate Content-Length header fields have been 2401 generated or combined by an upstream message processor, then the 2402 recipient MUST either reject the message as invalid or replace the 2403 duplicated field-values with a single valid Content-Length field 2404 containing that decimal value prior to determining the message body 2405 length or forwarding the message. 2407 6.2.5. Content-Location 2409 The "Content-Location" header field references a URI that can be used 2410 as an identifier for a specific resource corresponding to the 2411 representation in this message's payload. In other words, if one 2412 were to perform a GET request on this URI at the time of this 2413 message's generation, then a 200 (OK) response would contain the same 2414 representation that is enclosed as payload in this message. 2416 Content-Location = absolute-URI / partial-URI 2418 The Content-Location value is not a replacement for the effective 2419 Request URI (Section 5.3). It is representation metadata. It has 2420 the same syntax and semantics as the header field of the same name 2421 defined for MIME body parts in Section 4 of [RFC2557]. However, its 2422 appearance in an HTTP message has some special implications for HTTP 2423 recipients. 2425 If Content-Location is included in a 2xx (Successful) response 2426 message and its value refers (after conversion to absolute form) to a 2427 URI that is the same as the effective request URI, then the recipient 2428 MAY consider the payload to be a current representation of that 2429 resource at the time indicated by the message origination date. For 2430 a GET (Section 7.3.1) or HEAD (Section 7.3.2) request, this is the 2431 same as the default semantics when no Content-Location is provided by 2432 the server. For a state-changing request like PUT (Section 7.3.4) or 2433 POST (Section 7.3.3), it implies that the server's response contains 2434 the new representation of that resource, thereby distinguishing it 2435 from representations that might only report about the action (e.g., 2436 "It worked!"). This allows authoring applications to update their 2437 local copies without the need for a subsequent GET request. 2439 If Content-Location is included in a 2xx (Successful) response 2440 message and its field-value refers to a URI that differs from the 2441 effective request URI, then the origin server claims that the URI is 2442 an identifier for a different resource corresponding to the enclosed 2443 representation. Such a claim can only be trusted if both identifiers 2444 share the same resource owner, which cannot be programmatically 2445 determined via HTTP. 2447 o For a response to a GET or HEAD request, this is an indication 2448 that the effective request URI refers to a resource that is 2449 subject to content negotiation and the Content-Location field- 2450 value is a more specific identifier for the selected 2451 representation. 2453 o For a 201 (Created) response to a state-changing method, a 2454 Content-Location field-value that is identical to the Location 2455 field-value indicates that this payload is a current 2456 representation of the newly created resource. 2458 o Otherwise, such a Content-Location indicates that this payload is 2459 a representation reporting on the requested action's status and 2460 that the same report is available (for future access with GET) at 2461 the given URI. For example, a purchase transaction made via a 2462 POST request might include a receipt document as the payload of 2463 the 200 (OK) response; the Content-Location field-value provides 2464 an identifier for retrieving a copy of that same receipt in the 2465 future. 2467 A user agent that sends Content-Location in a request message is 2468 stating that its value refers to where the user agent originally 2469 obtained the content of the enclosed representation (prior to any 2470 modifications made by that user agent). In other words, the user 2471 agent is providing a back link to the source of the original 2472 representation. 2474 An origin server that receives a Content-Location field in a request 2475 message MUST treat the information as transitory request context 2476 rather than as metadata to be saved verbatim as part of the 2477 representation. An origin server MAY use that context to guide in 2478 processing the request or to save it for other uses, such as within 2479 source links or versioning metadata. However, an origin server MUST 2480 NOT use such context information to alter the request semantics. 2482 For example, if a client makes a PUT request on a negotiated resource 2483 and the origin server accepts that PUT (without redirection), then 2484 the new state of that resource is expected to be consistent with the 2485 one representation supplied in that PUT; the Content-Location cannot 2486 be used as a form of reverse content selection identifier to update 2487 only one of the negotiated representations. If the user agent had 2488 wanted the latter semantics, it would have applied the PUT directly 2489 to the Content-Location URI. 2491 6.3. Payload 2493 Some HTTP messages transfer a complete or partial representation as 2494 the message "payload". In some cases, a payload might contain only 2495 the associated representation's header fields (e.g., responses to 2496 HEAD) or only some part(s) of the representation data (e.g., the 206 2497 (Partial Content) status code). 2499 Header fields that specifically describe the payload, rather than the 2500 associated representation, are referred to as "payload header 2501 fields". Payload header fields are defined in other parts of this 2502 specification, due to their impact on message parsing. 2504 +-------------------+----------------------------+ 2505 | Header Field Name | Defined in... | 2506 +-------------------+----------------------------+ 2507 | Content-Range | Section 6.3.3 | 2508 | Trailer | Section 4.4 | 2509 | Transfer-Encoding | Section 6.1 of [Messaging] | 2510 +-------------------+----------------------------+ 2512 6.3.1. Purpose 2514 The purpose of a payload in a request is defined by the method 2515 semantics. For example, a representation in the payload of a PUT 2516 request (Section 7.3.4) represents the desired state of the target 2517 resource if the request is successfully applied, whereas a 2518 representation in the payload of a POST request (Section 7.3.3) 2519 represents information to be processed by the target resource. 2521 In a response, the payload's purpose is defined by both the request 2522 method and the response status code. For example, the payload of a 2523 200 (OK) response to GET (Section 7.3.1) represents the current state 2524 of the target resource, as observed at the time of the message 2525 origination date (Section 10.1.1.2), whereas the payload of the same 2526 status code in a response to POST might represent either the 2527 processing result or the new state of the target resource after 2528 applying the processing. Response messages with an error status code 2529 usually contain a payload that represents the error condition, such 2530 that it describes the error state and what next steps are suggested 2531 for resolving it. 2533 6.3.2. Identification 2535 When a complete or partial representation is transferred in a message 2536 payload, it is often desirable for the sender to supply, or the 2537 recipient to determine, an identifier for a resource corresponding to 2538 that representation. 2540 For a request message: 2542 o If the request has a Content-Location header field, then the 2543 sender asserts that the payload is a representation of the 2544 resource identified by the Content-Location field-value. However, 2545 such an assertion cannot be trusted unless it can be verified by 2546 other means (not defined by this specification). The information 2547 might still be useful for revision history links. 2549 o Otherwise, the payload is unidentified. 2551 For a response message, the following rules are applied in order 2552 until a match is found: 2554 1. If the request method is GET or HEAD and the response status code 2555 is 200 (OK), 204 (No Content), 206 (Partial Content), or 304 (Not 2556 Modified), the payload is a representation of the resource 2557 identified by the effective request URI (Section 5.3). 2559 2. If the request method is GET or HEAD and the response status code 2560 is 203 (Non-Authoritative Information), the payload is a 2561 potentially modified or enhanced representation of the target 2562 resource as provided by an intermediary. 2564 3. If the response has a Content-Location header field and its 2565 field-value is a reference to the same URI as the effective 2566 request URI, the payload is a representation of the resource 2567 identified by the effective request URI. 2569 4. If the response has a Content-Location header field and its 2570 field-value is a reference to a URI different from the effective 2571 request URI, then the sender asserts that the payload is a 2572 representation of the resource identified by the Content-Location 2573 field-value. However, such an assertion cannot be trusted unless 2574 it can be verified by other means (not defined by this 2575 specification). 2577 5. Otherwise, the payload is unidentified. 2579 6.3.3. Content-Range 2581 The "Content-Range" header field is sent in a single part 206 2582 (Partial Content) response to indicate the partial range of the 2583 selected representation enclosed as the message payload, sent in each 2584 part of a multipart 206 response to indicate the range enclosed 2585 within each body part, and sent in 416 (Range Not Satisfiable) 2586 responses to provide information about the selected representation. 2588 Content-Range = byte-content-range 2589 / other-content-range 2591 byte-content-range = bytes-unit SP 2592 ( byte-range-resp / unsatisfied-range ) 2594 byte-range-resp = byte-range "/" ( complete-length / "*" ) 2595 byte-range = first-byte-pos "-" last-byte-pos 2596 unsatisfied-range = "*/" complete-length 2598 complete-length = 1*DIGIT 2600 other-content-range = other-range-unit SP other-range-resp 2601 other-range-resp = *VCHAR 2603 If a 206 (Partial Content) response contains a Content-Range header 2604 field with a range unit (Section 6.1.4) that the recipient does not 2605 understand, the recipient MUST NOT attempt to recombine it with a 2606 stored representation. A proxy that receives such a message SHOULD 2607 forward it downstream. 2609 For byte ranges, a sender SHOULD indicate the complete length of the 2610 representation from which the range has been extracted, unless the 2611 complete length is unknown or difficult to determine. An asterisk 2612 character ("*") in place of the complete-length indicates that the 2613 representation length was unknown when the header field was 2614 generated. 2616 The following example illustrates when the complete length of the 2617 selected representation is known by the sender to be 1234 bytes: 2619 Content-Range: bytes 42-1233/1234 2621 and this second example illustrates when the complete length is 2622 unknown: 2624 Content-Range: bytes 42-1233/* 2626 A Content-Range field value is invalid if it contains a byte-range- 2627 resp that has a last-byte-pos value less than its first-byte-pos 2628 value, or a complete-length value less than or equal to its last- 2629 byte-pos value. The recipient of an invalid Content-Range MUST NOT 2630 attempt to recombine the received content with a stored 2631 representation. 2633 A server generating a 416 (Range Not Satisfiable) response to a byte- 2634 range request SHOULD send a Content-Range header field with an 2635 unsatisfied-range value, as in the following example: 2637 Content-Range: bytes */1234 2639 The complete-length in a 416 response indicates the current length of 2640 the selected representation. 2642 The Content-Range header field has no meaning for status codes that 2643 do not explicitly describe its semantic. For this specification, 2644 only the 206 (Partial Content) and 416 (Range Not Satisfiable) status 2645 codes describe a meaning for Content-Range. 2647 The following are examples of Content-Range values in which the 2648 selected representation contains a total of 1234 bytes: 2650 o The first 500 bytes: 2652 Content-Range: bytes 0-499/1234 2654 o The second 500 bytes: 2656 Content-Range: bytes 500-999/1234 2658 o All except for the first 500 bytes: 2660 Content-Range: bytes 500-1233/1234 2662 o The last 500 bytes: 2664 Content-Range: bytes 734-1233/1234 2666 6.3.4. Media Type multipart/byteranges 2668 When a 206 (Partial Content) response message includes the content of 2669 multiple ranges, they are transmitted as body parts in a multipart 2670 message body ([RFC2046], Section 5.1) with the media type of 2671 "multipart/byteranges". 2673 The multipart/byteranges media type includes one or more body parts, 2674 each with its own Content-Type and Content-Range fields. The 2675 required boundary parameter specifies the boundary string used to 2676 separate each body part. 2678 Implementation Notes: 2680 1. Additional CRLFs might precede the first boundary string in the 2681 body. 2683 2. Although [RFC2046] permits the boundary string to be quoted, some 2684 existing implementations handle a quoted boundary string 2685 incorrectly. 2687 3. A number of clients and servers were coded to an early draft of 2688 the byteranges specification that used a media type of multipart/ 2689 x-byteranges, which is almost (but not quite) compatible with 2690 this type. 2692 Despite the name, the "multipart/byteranges" media type is not 2693 limited to byte ranges. The following example uses an "exampleunit" 2694 range unit: 2696 HTTP/1.1 206 Partial Content 2697 Date: Tue, 14 Nov 1995 06:25:24 GMT 2698 Last-Modified: Tue, 14 July 04:58:08 GMT 2699 Content-Length: 2331785 2700 Content-Type: multipart/byteranges; boundary=THIS_STRING_SEPARATES 2702 --THIS_STRING_SEPARATES 2703 Content-Type: video/example 2704 Content-Range: exampleunit 1.2-4.3/25 2706 ...the first range... 2707 --THIS_STRING_SEPARATES 2708 Content-Type: video/example 2709 Content-Range: exampleunit 11.2-14.3/25 2711 ...the second range 2712 --THIS_STRING_SEPARATES-- 2714 The following information serves as the registration form for the 2715 multipart/byteranges media type. 2717 Type name: multipart 2719 Subtype name: byteranges 2721 Required parameters: boundary 2723 Optional parameters: N/A 2724 Encoding considerations: only "7bit", "8bit", or "binary" are 2725 permitted 2727 Security considerations: see Section 12 2729 Interoperability considerations: N/A 2731 Published specification: This specification (see Section 6.3.4). 2733 Applications that use this media type: HTTP components supporting 2734 multiple ranges in a single request. 2736 Fragment identifier considerations: N/A 2738 Additional information: 2740 Deprecated alias names for this type: N/A 2742 Magic number(s): N/A 2744 File extension(s): N/A 2746 Macintosh file type code(s): N/A 2748 Person and email address to contact for further information: See Aut 2749 hors' Addresses section. 2751 Intended usage: COMMON 2753 Restrictions on usage: N/A 2755 Author: See Authors' Addresses section. 2757 Change controller: IESG 2759 6.4. Content Negotiation 2761 When responses convey payload information, whether indicating a 2762 success or an error, the origin server often has different ways of 2763 representing that information; for example, in different formats, 2764 languages, or encodings. Likewise, different users or user agents 2765 might have differing capabilities, characteristics, or preferences 2766 that could influence which representation, among those available, 2767 would be best to deliver. For this reason, HTTP provides mechanisms 2768 for content negotiation. 2770 This specification defines two patterns of content negotiation that 2771 can be made visible within the protocol: "proactive", where the 2772 server selects the representation based upon the user agent's stated 2773 preferences, and "reactive" negotiation, where the server provides a 2774 list of representations for the user agent to choose from. Other 2775 patterns of content negotiation include "conditional content", where 2776 the representation consists of multiple parts that are selectively 2777 rendered based on user agent parameters, "active content", where the 2778 representation contains a script that makes additional (more 2779 specific) requests based on the user agent characteristics, and 2780 "Transparent Content Negotiation" ([RFC2295]), where content 2781 selection is performed by an intermediary. These patterns are not 2782 mutually exclusive, and each has trade-offs in applicability and 2783 practicality. 2785 Note that, in all cases, HTTP is not aware of the resource semantics. 2786 The consistency with which an origin server responds to requests, 2787 over time and over the varying dimensions of content negotiation, and 2788 thus the "sameness" of a resource's observed representations over 2789 time, is determined entirely by whatever entity or algorithm selects 2790 or generates those responses. HTTP pays no attention to the man 2791 behind the curtain. 2793 6.4.1. Proactive Negotiation 2795 When content negotiation preferences are sent by the user agent in a 2796 request to encourage an algorithm located at the server to select the 2797 preferred representation, it is called proactive negotiation (a.k.a., 2798 server-driven negotiation). Selection is based on the available 2799 representations for a response (the dimensions over which it might 2800 vary, such as language, content-coding, etc.) compared to various 2801 information supplied in the request, including both the explicit 2802 negotiation fields of Section 8.4 and implicit characteristics, such 2803 as the client's network address or parts of the User-Agent field. 2805 Proactive negotiation is advantageous when the algorithm for 2806 selecting from among the available representations is difficult to 2807 describe to a user agent, or when the server desires to send its 2808 "best guess" to the user agent along with the first response (hoping 2809 to avoid the round trip delay of a subsequent request if the "best 2810 guess" is good enough for the user). In order to improve the 2811 server's guess, a user agent MAY send request header fields that 2812 describe its preferences. 2814 Proactive negotiation has serious disadvantages: 2816 o It is impossible for the server to accurately determine what might 2817 be "best" for any given user, since that would require complete 2818 knowledge of both the capabilities of the user agent and the 2819 intended use for the response (e.g., does the user want to view it 2820 on screen or print it on paper?); 2822 o Having the user agent describe its capabilities in every request 2823 can be both very inefficient (given that only a small percentage 2824 of responses have multiple representations) and a potential risk 2825 to the user's privacy; 2827 o It complicates the implementation of an origin server and the 2828 algorithms for generating responses to a request; and, 2830 o It limits the reusability of responses for shared caching. 2832 A user agent cannot rely on proactive negotiation preferences being 2833 consistently honored, since the origin server might not implement 2834 proactive negotiation for the requested resource or might decide that 2835 sending a response that doesn't conform to the user agent's 2836 preferences is better than sending a 406 (Not Acceptable) response. 2838 A Vary header field (Section 10.1.4) is often sent in a response 2839 subject to proactive negotiation to indicate what parts of the 2840 request information were used in the selection algorithm. 2842 6.4.2. Reactive Negotiation 2844 With reactive negotiation (a.k.a., agent-driven negotiation), 2845 selection of the best response representation (regardless of the 2846 status code) is performed by the user agent after receiving an 2847 initial response from the origin server that contains a list of 2848 resources for alternative representations. If the user agent is not 2849 satisfied by the initial response representation, it can perform a 2850 GET request on one or more of the alternative resources, selected 2851 based on metadata included in the list, to obtain a different form of 2852 representation for that response. Selection of alternatives might be 2853 performed automatically by the user agent or manually by the user 2854 selecting from a generated (possibly hypertext) menu. 2856 Note that the above refers to representations of the response, in 2857 general, not representations of the resource. The alternative 2858 representations are only considered representations of the target 2859 resource if the response in which those alternatives are provided has 2860 the semantics of being a representation of the target resource (e.g., 2861 a 200 (OK) response to a GET request) or has the semantics of 2862 providing links to alternative representations for the target 2863 resource (e.g., a 300 (Multiple Choices) response to a GET request). 2865 A server might choose not to send an initial representation, other 2866 than the list of alternatives, and thereby indicate that reactive 2867 negotiation by the user agent is preferred. For example, the 2868 alternatives listed in responses with the 300 (Multiple Choices) and 2869 406 (Not Acceptable) status codes include information about the 2870 available representations so that the user or user agent can react by 2871 making a selection. 2873 Reactive negotiation is advantageous when the response would vary 2874 over commonly used dimensions (such as type, language, or encoding), 2875 when the origin server is unable to determine a user agent's 2876 capabilities from examining the request, and generally when public 2877 caches are used to distribute server load and reduce network usage. 2879 Reactive negotiation suffers from the disadvantages of transmitting a 2880 list of alternatives to the user agent, which degrades user-perceived 2881 latency if transmitted in the header section, and needing a second 2882 request to obtain an alternate representation. Furthermore, this 2883 specification does not define a mechanism for supporting automatic 2884 selection, though it does not prevent such a mechanism from being 2885 developed as an extension. 2887 7. Request Methods 2889 7.1. Overview 2891 The request method token is the primary source of request semantics; 2892 it indicates the purpose for which the client has made this request 2893 and what is expected by the client as a successful result. 2895 The request method's semantics might be further specialized by the 2896 semantics of some header fields when present in a request (Section 8) 2897 if those additional semantics do not conflict with the method. For 2898 example, a client can send conditional request header fields 2899 (Section 8.2) to make the requested action conditional on the current 2900 state of the target resource. 2902 method = token 2904 HTTP was originally designed to be usable as an interface to 2905 distributed object systems. The request method was envisioned as 2906 applying semantics to a target resource in much the same way as 2907 invoking a defined method on an identified object would apply 2908 semantics. 2910 The method token is case-sensitive because it might be used as a 2911 gateway to object-based systems with case-sensitive method names. By 2912 convention, standardized methods are defined in all-uppercase US- 2913 ASCII letters. 2915 Unlike distributed objects, the standardized request methods in HTTP 2916 are not resource-specific, since uniform interfaces provide for 2917 better visibility and reuse in network-based systems [REST]. Once 2918 defined, a standardized method ought to have the same semantics when 2919 applied to any resource, though each resource determines for itself 2920 whether those semantics are implemented or allowed. 2922 This specification defines a number of standardized methods that are 2923 commonly used in HTTP, as outlined by the following table. 2925 +---------+-------------------------------------------------+-------+ 2926 | Method | Description | Sec. | 2927 +---------+-------------------------------------------------+-------+ 2928 | GET | Transfer a current representation of the target | 7.3.1 | 2929 | | resource. | | 2930 | HEAD | Same as GET, but only transfer the status line | 7.3.2 | 2931 | | and header section. | | 2932 | POST | Perform resource-specific processing on the | 7.3.3 | 2933 | | request payload. | | 2934 | PUT | Replace all current representations of the | 7.3.4 | 2935 | | target resource with the request payload. | | 2936 | DELETE | Remove all current representations of the | 7.3.5 | 2937 | | target resource. | | 2938 | CONNECT | Establish a tunnel to the server identified by | 7.3.6 | 2939 | | the target resource. | | 2940 | OPTIONS | Describe the communication options for the | 7.3.7 | 2941 | | target resource. | | 2942 | TRACE | Perform a message loop-back test along the path | 7.3.8 | 2943 | | to the target resource. | | 2944 +---------+-------------------------------------------------+-------+ 2946 Table 4 2948 All general-purpose servers MUST support the methods GET and HEAD. 2949 All other methods are OPTIONAL. 2951 The set of methods allowed by a target resource can be listed in an 2952 Allow header field (Section 10.4.2). However, the set of allowed 2953 methods can change dynamically. When a request method is received 2954 that is unrecognized or not implemented by an origin server, the 2955 origin server SHOULD respond with the 501 (Not Implemented) status 2956 code. When a request method is received that is known by an origin 2957 server but not allowed for the target resource, the origin server 2958 SHOULD respond with the 405 (Method Not Allowed) status code. 2960 7.2. Common Method Properties 2962 +---------+------+------------+----------------+ 2963 | Method | Safe | Idempotent | Reference | 2964 +---------+------+------------+----------------+ 2965 | CONNECT | no | no | Section 7.3.6 | 2966 | DELETE | no | yes | Section 7.3.5 | 2967 | GET | yes | yes | Section 7.3.1 | 2968 | HEAD | yes | yes | Section 7.3.2 | 2969 | OPTIONS | yes | yes | Section 7.3.7 | 2970 | POST | no | no | Section 7.3.3 | 2971 | PUT | no | yes | Section 7.3.4 | 2972 | TRACE | yes | yes | Section 7.3.8 | 2973 +---------+------+------------+----------------+ 2975 Table 5 2977 7.2.1. Safe Methods 2979 Request methods are considered "safe" if their defined semantics are 2980 essentially read-only; i.e., the client does not request, and does 2981 not expect, any state change on the origin server as a result of 2982 applying a safe method to a target resource. Likewise, reasonable 2983 use of a safe method is not expected to cause any harm, loss of 2984 property, or unusual burden on the origin server. 2986 This definition of safe methods does not prevent an implementation 2987 from including behavior that is potentially harmful, that is not 2988 entirely read-only, or that causes side effects while invoking a safe 2989 method. What is important, however, is that the client did not 2990 request that additional behavior and cannot be held accountable for 2991 it. For example, most servers append request information to access 2992 log files at the completion of every response, regardless of the 2993 method, and that is considered safe even though the log storage might 2994 become full and crash the server. Likewise, a safe request initiated 2995 by selecting an advertisement on the Web will often have the side 2996 effect of charging an advertising account. 2998 Of the request methods defined by this specification, the GET, HEAD, 2999 OPTIONS, and TRACE methods are defined to be safe. 3001 The purpose of distinguishing between safe and unsafe methods is to 3002 allow automated retrieval processes (spiders) and cache performance 3003 optimization (pre-fetching) to work without fear of causing harm. In 3004 addition, it allows a user agent to apply appropriate constraints on 3005 the automated use of unsafe methods when processing potentially 3006 untrusted content. 3008 A user agent SHOULD distinguish between safe and unsafe methods when 3009 presenting potential actions to a user, such that the user can be 3010 made aware of an unsafe action before it is requested. 3012 When a resource is constructed such that parameters within the 3013 effective request URI have the effect of selecting an action, it is 3014 the resource owner's responsibility to ensure that the action is 3015 consistent with the request method semantics. For example, it is 3016 common for Web-based content editing software to use actions within 3017 query parameters, such as "page?do=delete". If the purpose of such a 3018 resource is to perform an unsafe action, then the resource owner MUST 3019 disable or disallow that action when it is accessed using a safe 3020 request method. Failure to do so will result in unfortunate side 3021 effects when automated processes perform a GET on every URI reference 3022 for the sake of link maintenance, pre-fetching, building a search 3023 index, etc. 3025 7.2.2. Idempotent Methods 3027 A request method is considered "idempotent" if the intended effect on 3028 the server of multiple identical requests with that method is the 3029 same as the effect for a single such request. Of the request methods 3030 defined by this specification, PUT, DELETE, and safe request methods 3031 are idempotent. 3033 Like the definition of safe, the idempotent property only applies to 3034 what has been requested by the user; a server is free to log each 3035 request separately, retain a revision control history, or implement 3036 other non-idempotent side effects for each idempotent request. 3038 Idempotent methods are distinguished because the request can be 3039 repeated automatically if a communication failure occurs before the 3040 client is able to read the server's response. For example, if a 3041 client sends a PUT request and the underlying connection is closed 3042 before any response is received, then the client can establish a new 3043 connection and retry the idempotent request. It knows that repeating 3044 the request will have the same intended effect, even if the original 3045 request succeeded, though the response might differ. 3047 A user agent MUST NOT automatically retry a request with a non- 3048 idempotent method unless it has some means to know that the request 3049 semantics are actually idempotent, regardless of the method, or some 3050 means to detect that the original request was never applied. For 3051 example, a user agent that knows (through design or configuration) 3052 that a POST request to a given resource is safe can repeat that 3053 request automatically. Likewise, a user agent designed specifically 3054 to operate on a version control repository might be able to recover 3055 from partial failure conditions by checking the target resource 3056 revision(s) after a failed connection, reverting or fixing any 3057 changes that were partially applied, and then automatically retrying 3058 the requests that failed. 3060 A proxy MUST NOT automatically retry non-idempotent requests. 3062 A client SHOULD NOT automatically retry a failed automatic retry. 3064 7.2.3. Cacheable Methods 3066 Request methods can be defined as "cacheable" to indicate that 3067 responses to them are allowed to be stored for future reuse; for 3068 specific requirements see [Caching]. In general, safe methods that 3069 do not depend on a current or authoritative response are defined as 3070 cacheable; this specification defines GET, HEAD, and POST as 3071 cacheable, although the overwhelming majority of cache 3072 implementations only support GET and HEAD. 3074 7.3. Method Definitions 3076 7.3.1. GET 3078 The GET method requests transfer of a current selected representation 3079 for the target resource. GET is the primary mechanism of information 3080 retrieval and the focus of almost all performance optimizations. 3081 Hence, when people speak of retrieving some identifiable information 3082 via HTTP, they are generally referring to making a GET request. 3084 It is tempting to think of resource identifiers as remote file system 3085 pathnames and of representations as being a copy of the contents of 3086 such files. In fact, that is how many resources are implemented (see 3087 Section 12.3 for related security considerations). However, there 3088 are no such limitations in practice. The HTTP interface for a 3089 resource is just as likely to be implemented as a tree of content 3090 objects, a programmatic view on various database records, or a 3091 gateway to other information systems. Even when the URI mapping 3092 mechanism is tied to a file system, an origin server might be 3093 configured to execute the files with the request as input and send 3094 the output as the representation rather than transfer the files 3095 directly. Regardless, only the origin server needs to know how each 3096 of its resource identifiers corresponds to an implementation and how 3097 each implementation manages to select and send a current 3098 representation of the target resource in a response to GET. 3100 A client can alter the semantics of GET to be a "range request", 3101 requesting transfer of only some part(s) of the selected 3102 representation, by sending a Range header field in the request 3103 (Section 8.3). 3105 A payload within a GET request message has no defined semantics; 3106 sending a payload body on a GET request might cause some existing 3107 implementations to reject the request. 3109 The response to a GET request is cacheable; a cache MAY use it to 3110 satisfy subsequent GET and HEAD requests unless otherwise indicated 3111 by the Cache-Control header field (Section 5.2 of [Caching]). 3113 7.3.2. HEAD 3115 The HEAD method is identical to GET except that the server MUST NOT 3116 send a message body in the response (i.e., the response terminates at 3117 the end of the header section). The server SHOULD send the same 3118 header fields in response to a HEAD request as it would have sent if 3119 the request had been a GET, except that the payload header fields 3120 (Section 6.3) MAY be omitted. This method can be used for obtaining 3121 metadata about the selected representation without transferring the 3122 representation data and is often used for testing hypertext links for 3123 validity, accessibility, and recent modification. 3125 A payload within a HEAD request message has no defined semantics; 3126 sending a payload body on a HEAD request might cause some existing 3127 implementations to reject the request. 3129 The response to a HEAD request is cacheable; a cache MAY use it to 3130 satisfy subsequent HEAD requests unless otherwise indicated by the 3131 Cache-Control header field (Section 5.2 of [Caching]). A HEAD 3132 response might also have an effect on previously cached responses to 3133 GET; see Section 4.3.5 of [Caching]. 3135 7.3.3. POST 3137 The POST method requests that the target resource process the 3138 representation enclosed in the request according to the resource's 3139 own specific semantics. For example, POST is used for the following 3140 functions (among others): 3142 o Providing a block of data, such as the fields entered into an HTML 3143 form, to a data-handling process; 3145 o Posting a message to a bulletin board, newsgroup, mailing list, 3146 blog, or similar group of articles; 3148 o Creating a new resource that has yet to be identified by the 3149 origin server; and 3151 o Appending data to a resource's existing representation(s). 3153 An origin server indicates response semantics by choosing an 3154 appropriate status code depending on the result of processing the 3155 POST request; almost all of the status codes defined by this 3156 specification might be received in a response to POST (the exceptions 3157 being 206 (Partial Content), 304 (Not Modified), and 416 (Range Not 3158 Satisfiable)). 3160 If one or more resources has been created on the origin server as a 3161 result of successfully processing a POST request, the origin server 3162 SHOULD send a 201 (Created) response containing a Location header 3163 field that provides an identifier for the primary resource created 3164 (Section 10.1.2) and a representation that describes the status of 3165 the request while referring to the new resource(s). 3167 Responses to POST requests are only cacheable when they include 3168 explicit freshness information (see Section 4.2.1 of [Caching]) and a 3169 Content-Location header field that has the same value as the POST's 3170 effective request URI (Section 6.2.5). A cached POST response can be 3171 reused to satisfy a later GET or HEAD request, but not a POST 3172 request, since POST is required to be written through to the origin 3173 server, because it is unsafe; see Section 4 of [Caching]. 3175 If the result of processing a POST would be equivalent to a 3176 representation of an existing resource, an origin server MAY redirect 3177 the user agent to that resource by sending a 303 (See Other) response 3178 with the existing resource's identifier in the Location field. This 3179 has the benefits of providing the user agent a resource identifier 3180 and transferring the representation via a method more amenable to 3181 shared caching, though at the cost of an extra request if the user 3182 agent does not already have the representation cached. 3184 7.3.4. PUT 3186 The PUT method requests that the state of the target resource be 3187 created or replaced with the state defined by the representation 3188 enclosed in the request message payload. A successful PUT of a given 3189 representation would suggest that a subsequent GET on that same 3190 target resource will result in an equivalent representation being 3191 sent in a 200 (OK) response. However, there is no guarantee that 3192 such a state change will be observable, since the target resource 3193 might be acted upon by other user agents in parallel, or might be 3194 subject to dynamic processing by the origin server, before any 3195 subsequent GET is received. A successful response only implies that 3196 the user agent's intent was achieved at the time of its processing by 3197 the origin server. 3199 If the target resource does not have a current representation and the 3200 PUT successfully creates one, then the origin server MUST inform the 3201 user agent by sending a 201 (Created) response. If the target 3202 resource does have a current representation and that representation 3203 is successfully modified in accordance with the state of the enclosed 3204 representation, then the origin server MUST send either a 200 (OK) or 3205 a 204 (No Content) response to indicate successful completion of the 3206 request. 3208 An origin server SHOULD ignore unrecognized header fields received in 3209 a PUT request (i.e., do not save them as part of the resource state). 3211 An origin server SHOULD verify that the PUT representation is 3212 consistent with any constraints the server has for the target 3213 resource that cannot or will not be changed by the PUT. This is 3214 particularly important when the origin server uses internal 3215 configuration information related to the URI in order to set the 3216 values for representation metadata on GET responses. When a PUT 3217 representation is inconsistent with the target resource, the origin 3218 server SHOULD either make them consistent, by transforming the 3219 representation or changing the resource configuration, or respond 3220 with an appropriate error message containing sufficient information 3221 to explain why the representation is unsuitable. The 409 (Conflict) 3222 or 415 (Unsupported Media Type) status codes are suggested, with the 3223 latter being specific to constraints on Content-Type values. 3225 For example, if the target resource is configured to always have a 3226 Content-Type of "text/html" and the representation being PUT has a 3227 Content-Type of "image/jpeg", the origin server ought to do one of: 3229 a. reconfigure the target resource to reflect the new media type; 3231 b. transform the PUT representation to a format consistent with that 3232 of the resource before saving it as the new resource state; or, 3234 c. reject the request with a 415 (Unsupported Media Type) response 3235 indicating that the target resource is limited to "text/html", 3236 perhaps including a link to a different resource that would be a 3237 suitable target for the new representation. 3239 HTTP does not define exactly how a PUT method affects the state of an 3240 origin server beyond what can be expressed by the intent of the user 3241 agent request and the semantics of the origin server response. It 3242 does not define what a resource might be, in any sense of that word, 3243 beyond the interface provided via HTTP. It does not define how 3244 resource state is "stored", nor how such storage might change as a 3245 result of a change in resource state, nor how the origin server 3246 translates resource state into representations. Generally speaking, 3247 all implementation details behind the resource interface are 3248 intentionally hidden by the server. 3250 An origin server MUST NOT send a validator header field 3251 (Section 10.2), such as an ETag or Last-Modified field, in a 3252 successful response to PUT unless the request's representation data 3253 was saved without any transformation applied to the body (i.e., the 3254 resource's new representation data is identical to the representation 3255 data received in the PUT request) and the validator field value 3256 reflects the new representation. This requirement allows a user 3257 agent to know when the representation body it has in memory remains 3258 current as a result of the PUT, thus not in need of being retrieved 3259 again from the origin server, and that the new validator(s) received 3260 in the response can be used for future conditional requests in order 3261 to prevent accidental overwrites (Section 8.2). 3263 The fundamental difference between the POST and PUT methods is 3264 highlighted by the different intent for the enclosed representation. 3265 The target resource in a POST request is intended to handle the 3266 enclosed representation according to the resource's own semantics, 3267 whereas the enclosed representation in a PUT request is defined as 3268 replacing the state of the target resource. Hence, the intent of PUT 3269 is idempotent and visible to intermediaries, even though the exact 3270 effect is only known by the origin server. 3272 Proper interpretation of a PUT request presumes that the user agent 3273 knows which target resource is desired. A service that selects a 3274 proper URI on behalf of the client, after receiving a state-changing 3275 request, SHOULD be implemented using the POST method rather than PUT. 3276 If the origin server will not make the requested PUT state change to 3277 the target resource and instead wishes to have it applied to a 3278 different resource, such as when the resource has been moved to a 3279 different URI, then the origin server MUST send an appropriate 3xx 3280 (Redirection) response; the user agent MAY then make its own decision 3281 regarding whether or not to redirect the request. 3283 A PUT request applied to the target resource can have side effects on 3284 other resources. For example, an article might have a URI for 3285 identifying "the current version" (a resource) that is separate from 3286 the URIs identifying each particular version (different resources 3287 that at one point shared the same state as the current version 3288 resource). A successful PUT request on "the current version" URI 3289 might therefore create a new version resource in addition to changing 3290 the state of the target resource, and might also cause links to be 3291 added between the related resources. 3293 An origin server that allows PUT on a given target resource MUST send 3294 a 400 (Bad Request) response to a PUT request that contains a 3295 Content-Range header field (Section 6.3.3), since the payload is 3296 likely to be partial content that has been mistakenly PUT as a full 3297 representation. Partial content updates are possible by targeting a 3298 separately identified resource with state that overlaps a portion of 3299 the larger resource, or by using a different method that has been 3300 specifically defined for partial updates (for example, the PATCH 3301 method defined in [RFC5789]). 3303 Responses to the PUT method are not cacheable. If a successful PUT 3304 request passes through a cache that has one or more stored responses 3305 for the effective request URI, those stored responses will be 3306 invalidated (see Section 4.4 of [Caching]). 3308 7.3.5. DELETE 3310 The DELETE method requests that the origin server remove the 3311 association between the target resource and its current 3312 functionality. In effect, this method is similar to the rm command 3313 in UNIX: it expresses a deletion operation on the URI mapping of the 3314 origin server rather than an expectation that the previously 3315 associated information be deleted. 3317 If the target resource has one or more current representations, they 3318 might or might not be destroyed by the origin server, and the 3319 associated storage might or might not be reclaimed, depending 3320 entirely on the nature of the resource and its implementation by the 3321 origin server (which are beyond the scope of this specification). 3322 Likewise, other implementation aspects of a resource might need to be 3323 deactivated or archived as a result of a DELETE, such as database or 3324 gateway connections. In general, it is assumed that the origin 3325 server will only allow DELETE on resources for which it has a 3326 prescribed mechanism for accomplishing the deletion. 3328 Relatively few resources allow the DELETE method -- its primary use 3329 is for remote authoring environments, where the user has some 3330 direction regarding its effect. For example, a resource that was 3331 previously created using a PUT request, or identified via the 3332 Location header field after a 201 (Created) response to a POST 3333 request, might allow a corresponding DELETE request to undo those 3334 actions. Similarly, custom user agent implementations that implement 3335 an authoring function, such as revision control clients using HTTP 3336 for remote operations, might use DELETE based on an assumption that 3337 the server's URI space has been crafted to correspond to a version 3338 repository. 3340 If a DELETE method is successfully applied, the origin server SHOULD 3341 send 3343 o a 202 (Accepted) status code if the action will likely succeed but 3344 has not yet been enacted, 3346 o a 204 (No Content) status code if the action has been enacted and 3347 no further information is to be supplied, or 3349 o a 200 (OK) status code if the action has been enacted and the 3350 response message includes a representation describing the status. 3352 A payload within a DELETE request message has no defined semantics; 3353 sending a payload body on a DELETE request might cause some existing 3354 implementations to reject the request. 3356 Responses to the DELETE method are not cacheable. If a successful 3357 DELETE request passes through a cache that has one or more stored 3358 responses for the effective request URI, those stored responses will 3359 be invalidated (see Section 4.4 of [Caching]). 3361 7.3.6. CONNECT 3363 The CONNECT method requests that the recipient establish a tunnel to 3364 the destination origin server identified by the request-target and, 3365 if successful, thereafter restrict its behavior to blind forwarding 3366 of packets, in both directions, until the tunnel is closed. Tunnels 3367 are commonly used to create an end-to-end virtual connection, through 3368 one or more proxies, which can then be secured using TLS (Transport 3369 Layer Security, [RFC5246]). 3371 CONNECT is intended only for use in requests to a proxy. An origin 3372 server that receives a CONNECT request for itself MAY respond with a 3373 2xx (Successful) status code to indicate that a connection is 3374 established. However, most origin servers do not implement CONNECT. 3376 A client sending a CONNECT request MUST send the authority form of 3377 request-target (Section 3.2 of [Messaging]); i.e., the request-target 3378 consists of only the host name and port number of the tunnel 3379 destination, separated by a colon. For example, 3381 CONNECT server.example.com:80 HTTP/1.1 3382 Host: server.example.com:80 3384 The recipient proxy can establish a tunnel either by directly 3385 connecting to the request-target or, if configured to use another 3386 proxy, by forwarding the CONNECT request to the next inbound proxy. 3387 Any 2xx (Successful) response indicates that the sender (and all 3388 inbound proxies) will switch to tunnel mode immediately after the 3389 blank line that concludes the successful response's header section; 3390 data received after that blank line is from the server identified by 3391 the request-target. Any response other than a successful response 3392 indicates that the tunnel has not yet been formed and that the 3393 connection remains governed by HTTP. 3395 A tunnel is closed when a tunnel intermediary detects that either 3396 side has closed its connection: the intermediary MUST attempt to send 3397 any outstanding data that came from the closed side to the other 3398 side, close both connections, and then discard any remaining data 3399 left undelivered. 3401 Proxy authentication might be used to establish the authority to 3402 create a tunnel. For example, 3404 CONNECT server.example.com:80 HTTP/1.1 3405 Host: server.example.com:80 3406 Proxy-Authorization: basic aGVsbG86d29ybGQ= 3408 There are significant risks in establishing a tunnel to arbitrary 3409 servers, particularly when the destination is a well-known or 3410 reserved TCP port that is not intended for Web traffic. For example, 3411 a CONNECT to a request-target of "example.com:25" would suggest that 3412 the proxy connect to the reserved port for SMTP traffic; if allowed, 3413 that could trick the proxy into relaying spam email. Proxies that 3414 support CONNECT SHOULD restrict its use to a limited set of known 3415 ports or a configurable whitelist of safe request targets. 3417 A server MUST NOT send any Transfer-Encoding or Content-Length header 3418 fields in a 2xx (Successful) response to CONNECT. A client MUST 3419 ignore any Content-Length or Transfer-Encoding header fields received 3420 in a successful response to CONNECT. 3422 A payload within a CONNECT request message has no defined semantics; 3423 sending a payload body on a CONNECT request might cause some existing 3424 implementations to reject the request. 3426 Responses to the CONNECT method are not cacheable. 3428 7.3.7. OPTIONS 3430 The OPTIONS method requests information about the communication 3431 options available for the target resource, at either the origin 3432 server or an intervening intermediary. This method allows a client 3433 to determine the options and/or requirements associated with a 3434 resource, or the capabilities of a server, without implying a 3435 resource action. 3437 An OPTIONS request with an asterisk ("*") as the request-target 3438 (Section 3.2 of [Messaging]) applies to the server in general rather 3439 than to a specific resource. Since a server's communication options 3440 typically depend on the resource, the "*" request is only useful as a 3441 "ping" or "no-op" type of method; it does nothing beyond allowing the 3442 client to test the capabilities of the server. For example, this can 3443 be used to test a proxy for HTTP/1.1 conformance (or lack thereof). 3445 If the request-target is not an asterisk, the OPTIONS request applies 3446 to the options that are available when communicating with the target 3447 resource. 3449 A server generating a successful response to OPTIONS SHOULD send any 3450 header fields that might indicate optional features implemented by 3451 the server and applicable to the target resource (e.g., Allow), 3452 including potential extensions not defined by this specification. 3453 The response payload, if any, might also describe the communication 3454 options in a machine or human-readable representation. A standard 3455 format for such a representation is not defined by this 3456 specification, but might be defined by future extensions to HTTP. A 3457 server MUST generate a Content-Length field with a value of "0" if no 3458 payload body is to be sent in the response. 3460 A client MAY send a Max-Forwards header field in an OPTIONS request 3461 to target a specific recipient in the request chain (see 3462 Section 8.1.2). A proxy MUST NOT generate a Max-Forwards header 3463 field while forwarding a request unless that request was received 3464 with a Max-Forwards field. 3466 A client that generates an OPTIONS request containing a payload body 3467 MUST send a valid Content-Type header field describing the 3468 representation media type. Note that this specification does not 3469 define any use for such a payload. 3471 Responses to the OPTIONS method are not cacheable. 3473 7.3.8. TRACE 3475 The TRACE method requests a remote, application-level loop-back of 3476 the request message. The final recipient of the request SHOULD 3477 reflect the message received, excluding some fields described below, 3478 back to the client as the message body of a 200 (OK) response with a 3479 Content-Type of "message/http" (Section 10.1 of [Messaging]). The 3480 final recipient is either the origin server or the first server to 3481 receive a Max-Forwards value of zero (0) in the request 3482 (Section 8.1.2). 3484 A client MUST NOT generate header fields in a TRACE request 3485 containing sensitive data that might be disclosed by the response. 3486 For example, it would be foolish for a user agent to send stored user 3487 credentials Section 8.5 or cookies [RFC6265] in a TRACE request. The 3488 final recipient of the request SHOULD exclude any request header 3489 fields that are likely to contain sensitive data when that recipient 3490 generates the response body. 3492 TRACE allows the client to see what is being received at the other 3493 end of the request chain and use that data for testing or diagnostic 3494 information. The value of the Via header field (Section 5.5.1) is of 3495 particular interest, since it acts as a trace of the request chain. 3496 Use of the Max-Forwards header field allows the client to limit the 3497 length of the request chain, which is useful for testing a chain of 3498 proxies forwarding messages in an infinite loop. 3500 A client MUST NOT send a message body in a TRACE request. 3502 Responses to the TRACE method are not cacheable. 3504 7.4. Method Extensibility 3506 Additional methods, outside the scope of this specification, have 3507 been specified for use in HTTP. All such methods ought to be 3508 registered within the "Hypertext Transfer Protocol (HTTP) Method 3509 Registry". 3511 7.4.1. Method Registry 3513 The "Hypertext Transfer Protocol (HTTP) Method Registry", maintained 3514 by IANA at , registers 3515 method names. 3517 HTTP method registrations MUST include the following fields: 3519 o Method Name (see Section 7) 3521 o Safe ("yes" or "no", see Section 7.2.1) 3523 o Idempotent ("yes" or "no", see Section 7.2.2) 3525 o Pointer to specification text 3527 Values to be added to this namespace require IETF Review (see 3528 [RFC8126], Section 4.8). 3530 7.4.2. Considerations for New Methods 3532 Standardized methods are generic; that is, they are potentially 3533 applicable to any resource, not just one particular media type, kind 3534 of resource, or application. As such, it is preferred that new 3535 methods be registered in a document that isn't specific to a single 3536 application or data format, since orthogonal technologies deserve 3537 orthogonal specification. 3539 Since message parsing (Section 6 of [Messaging]) needs to be 3540 independent of method semantics (aside from responses to HEAD), 3541 definitions of new methods cannot change the parsing algorithm or 3542 prohibit the presence of a message body on either the request or the 3543 response message. Definitions of new methods can specify that only a 3544 zero-length message body is allowed by requiring a Content-Length 3545 header field with a value of "0". 3547 A new method definition needs to indicate whether it is safe 3548 (Section 7.2.1), idempotent (Section 7.2.2), cacheable 3549 (Section 7.2.3), what semantics are to be associated with the payload 3550 body if any is present in the request and what refinements the method 3551 makes to header field or status code semantics. If the new method is 3552 cacheable, its definition ought to describe how, and under what 3553 conditions, a cache can store a response and use it to satisfy a 3554 subsequent request. The new method ought to describe whether it can 3555 be made conditional (Section 8.2) and, if so, how a server responds 3556 when the condition is false. Likewise, if the new method might have 3557 some use for partial response semantics (Section 8.3), it ought to 3558 document this, too. 3560 Note: Avoid defining a method name that starts with "M-", since 3561 that prefix might be misinterpreted as having the semantics 3562 assigned to it by [RFC2774]. 3564 8. Request Header Fields 3566 A client sends request header fields to provide more information 3567 about the request context, make the request conditional based on the 3568 target resource state, suggest preferred formats for the response, 3569 supply authentication credentials, or modify the expected request 3570 processing. These fields act as request modifiers, similar to the 3571 parameters on a programming language method invocation. 3573 8.1. Controls 3575 Controls are request header fields that direct specific handling of 3576 the request. 3578 +-------------------+----------------------------+ 3579 | Header Field Name | Defined in... | 3580 +-------------------+----------------------------+ 3581 | Cache-Control | Section 5.2 of [Caching] | 3582 | Expect | Section 8.1.1 | 3583 | Host | Section 5.4 | 3584 | Max-Forwards | Section 8.1.2 | 3585 | Pragma | Section 5.4 of [Caching] | 3586 | TE | Section 7.4 of [Messaging] | 3587 +-------------------+----------------------------+ 3589 8.1.1. Expect 3591 The "Expect" header field in a request indicates a certain set of 3592 behaviors (expectations) that need to be supported by the server in 3593 order to properly handle this request. The only such expectation 3594 defined by this specification is 100-continue. 3596 Expect = "100-continue" 3598 The Expect field-value is case-insensitive. 3600 A server that receives an Expect field-value other than 100-continue 3601 MAY respond with a 417 (Expectation Failed) status code to indicate 3602 that the unexpected expectation cannot be met. 3604 A 100-continue expectation informs recipients that the client is 3605 about to send a (presumably large) message body in this request and 3606 wishes to receive a 100 (Continue) interim response if the request- 3607 line and header fields are not sufficient to cause an immediate 3608 success, redirect, or error response. This allows the client to wait 3609 for an indication that it is worthwhile to send the message body 3610 before actually doing so, which can improve efficiency when the 3611 message body is huge or when the client anticipates that an error is 3612 likely (e.g., when sending a state-changing method, for the first 3613 time, without previously verified authentication credentials). 3615 For example, a request that begins with 3617 PUT /somewhere/fun HTTP/1.1 3618 Host: origin.example.com 3619 Content-Type: video/h264 3620 Content-Length: 1234567890987 3621 Expect: 100-continue 3623 allows the origin server to immediately respond with an error 3624 message, such as 401 (Unauthorized) or 405 (Method Not Allowed), 3625 before the client starts filling the pipes with an unnecessary data 3626 transfer. 3628 Requirements for clients: 3630 o A client MUST NOT generate a 100-continue expectation in a request 3631 that does not include a message body. 3633 o A client that will wait for a 100 (Continue) response before 3634 sending the request message body MUST send an Expect header field 3635 containing a 100-continue expectation. 3637 o A client that sends a 100-continue expectation is not required to 3638 wait for any specific length of time; such a client MAY proceed to 3639 send the message body even if it has not yet received a response. 3640 Furthermore, since 100 (Continue) responses cannot be sent through 3641 an HTTP/1.0 intermediary, such a client SHOULD NOT wait for an 3642 indefinite period before sending the message body. 3644 o A client that receives a 417 (Expectation Failed) status code in 3645 response to a request containing a 100-continue expectation SHOULD 3646 repeat that request without a 100-continue expectation, since the 3647 417 response merely indicates that the response chain does not 3648 support expectations (e.g., it passes through an HTTP/1.0 server). 3650 Requirements for servers: 3652 o A server that receives a 100-continue expectation in an HTTP/1.0 3653 request MUST ignore that expectation. 3655 o A server MAY omit sending a 100 (Continue) response if it has 3656 already received some or all of the message body for the 3657 corresponding request, or if the framing indicates that there is 3658 no message body. 3660 o A server that sends a 100 (Continue) response MUST ultimately send 3661 a final status code, once the message body is received and 3662 processed, unless the connection is closed prematurely. 3664 o A server that responds with a final status code before reading the 3665 entire request payload body SHOULD indicate whether it intends to 3666 close the connection (see Section 9.7 of [Messaging]) or continue 3667 reading the payload body. 3669 An origin server MUST, upon receiving an HTTP/1.1 (or later) request- 3670 line and a complete header section that contains a 100-continue 3671 expectation and indicates a request message body will follow, either 3672 send an immediate response with a final status code, if that status 3673 can be determined by examining just the request-line and header 3674 fields, or send an immediate 100 (Continue) response to encourage the 3675 client to send the request's message body. The origin server MUST 3676 NOT wait for the message body before sending the 100 (Continue) 3677 response. 3679 A proxy MUST, upon receiving an HTTP/1.1 (or later) request-line and 3680 a complete header section that contains a 100-continue expectation 3681 and indicates a request message body will follow, either send an 3682 immediate response with a final status code, if that status can be 3683 determined by examining just the request-line and header fields, or 3684 begin forwarding the request toward the origin server by sending a 3685 corresponding request-line and header section to the next inbound 3686 server. If the proxy believes (from configuration or past 3687 interaction) that the next inbound server only supports HTTP/1.0, the 3688 proxy MAY generate an immediate 100 (Continue) response to encourage 3689 the client to begin sending the message body. 3691 Note: The Expect header field was added after the original 3692 publication of HTTP/1.1 [RFC2068] as both the means to request an 3693 interim 100 (Continue) response and the general mechanism for 3694 indicating must-understand extensions. However, the extension 3695 mechanism has not been used by clients and the must-understand 3696 requirements have not been implemented by many servers, rendering 3697 the extension mechanism useless. This specification has removed 3698 the extension mechanism in order to simplify the definition and 3699 processing of 100-continue. 3701 8.1.2. Max-Forwards 3703 The "Max-Forwards" header field provides a mechanism with the TRACE 3704 (Section 7.3.8) and OPTIONS (Section 7.3.7) request methods to limit 3705 the number of times that the request is forwarded by proxies. This 3706 can be useful when the client is attempting to trace a request that 3707 appears to be failing or looping mid-chain. 3709 Max-Forwards = 1*DIGIT 3711 The Max-Forwards value is a decimal integer indicating the remaining 3712 number of times this request message can be forwarded. 3714 Each intermediary that receives a TRACE or OPTIONS request containing 3715 a Max-Forwards header field MUST check and update its value prior to 3716 forwarding the request. If the received value is zero (0), the 3717 intermediary MUST NOT forward the request; instead, the intermediary 3718 MUST respond as the final recipient. If the received Max-Forwards 3719 value is greater than zero, the intermediary MUST generate an updated 3720 Max-Forwards field in the forwarded message with a field-value that 3721 is the lesser of a) the received value decremented by one (1) or b) 3722 the recipient's maximum supported value for Max-Forwards. 3724 A recipient MAY ignore a Max-Forwards header field received with any 3725 other request methods. 3727 8.2. Preconditions 3729 A conditional request is an HTTP request with one or more request 3730 header fields that indicate a precondition to be tested before 3731 applying the request method to the target resource. Section 8.2.1 3732 defines when preconditions are applied. Section 8.2.2 defines the 3733 order of evaluation when more than one precondition is present. 3735 Conditional GET requests are the most efficient mechanism for HTTP 3736 cache updates [Caching]. Conditionals can also be applied to state- 3737 changing methods, such as PUT and DELETE, to prevent the "lost 3738 update" problem: one client accidentally overwriting the work of 3739 another client that has been acting in parallel. 3741 Conditional request preconditions are based on the state of the 3742 target resource as a whole (its current value set) or the state as 3743 observed in a previously obtained representation (one value in that 3744 set). A resource might have multiple current representations, each 3745 with its own observable state. The conditional request mechanisms 3746 assume that the mapping of requests to a "selected representation" 3747 (Section 6) will be consistent over time if the server intends to 3748 take advantage of conditionals. Regardless, if the mapping is 3749 inconsistent and the server is unable to select the appropriate 3750 representation, then no harm will result when the precondition 3751 evaluates to false. 3753 The following request header fields allow a client to place a 3754 precondition on the state of the target resource, so that the action 3755 corresponding to the method semantics will not be applied if the 3756 precondition evaluates to false. Each precondition defined by this 3757 specification consists of a comparison between a set of validators 3758 obtained from prior representations of the target resource to the 3759 current state of validators for the selected representation 3760 (Section 10.2). Hence, these preconditions evaluate whether the 3761 state of the target resource has changed since a given state known by 3762 the client. The effect of such an evaluation depends on the method 3763 semantics and choice of conditional, as defined in Section 8.2.1. 3765 +---------------------+---------------+ 3766 | Header Field Name | Defined in... | 3767 +---------------------+---------------+ 3768 | If-Match | Section 8.2.3 | 3769 | If-None-Match | Section 8.2.4 | 3770 | If-Modified-Since | Section 8.2.5 | 3771 | If-Unmodified-Since | Section 8.2.6 | 3772 | If-Range | Section 8.2.7 | 3773 +---------------------+---------------+ 3775 8.2.1. Evaluation 3777 Except when excluded below, a recipient cache or origin server MUST 3778 evaluate received request preconditions after it has successfully 3779 performed its normal request checks and just before it would perform 3780 the action associated with the request method. A server MUST ignore 3781 all received preconditions if its response to the same request 3782 without those conditions would have been a status code other than a 3783 2xx (Successful) or 412 (Precondition Failed). In other words, 3784 redirects and failures take precedence over the evaluation of 3785 preconditions in conditional requests. 3787 A server that is not the origin server for the target resource and 3788 cannot act as a cache for requests on the target resource MUST NOT 3789 evaluate the conditional request header fields defined by this 3790 specification, and it MUST forward them if the request is forwarded, 3791 since the generating client intends that they be evaluated by a 3792 server that can provide a current representation. Likewise, a server 3793 MUST ignore the conditional request header fields defined by this 3794 specification when received with a request method that does not 3795 involve the selection or modification of a selected representation, 3796 such as CONNECT, OPTIONS, or TRACE. 3798 Note that protocol extensions can modify the conditions under which 3799 revalidation is triggered. For example, the "immutable" cache 3800 directive (defined by [RFC8246]) instructs caches to forgo 3801 revalidation of fresh responses even when requested by the client. 3803 Conditional request header fields that are defined by extensions to 3804 HTTP might place conditions on all recipients, on the state of the 3805 target resource in general, or on a group of resources. For 3806 instance, the "If" header field in WebDAV can make a request 3807 conditional on various aspects of multiple resources, such as locks, 3808 if the recipient understands and implements that field ([RFC4918], 3809 Section 10.4). 3811 Although conditional request header fields are defined as being 3812 usable with the HEAD method (to keep HEAD's semantics consistent with 3813 those of GET), there is no point in sending a conditional HEAD 3814 because a successful response is around the same size as a 304 (Not 3815 Modified) response and more useful than a 412 (Precondition Failed) 3816 response. 3818 8.2.2. Precedence 3820 When more than one conditional request header field is present in a 3821 request, the order in which the fields are evaluated becomes 3822 important. In practice, the fields defined in this document are 3823 consistently implemented in a single, logical order, since "lost 3824 update" preconditions have more strict requirements than cache 3825 validation, a validated cache is more efficient than a partial 3826 response, and entity tags are presumed to be more accurate than date 3827 validators. 3829 A recipient cache or origin server MUST evaluate the request 3830 preconditions defined by this specification in the following order: 3832 1. When recipient is the origin server and If-Match is present, 3833 evaluate the If-Match precondition: 3835 * if true, continue to step 3 3837 * if false, respond 412 (Precondition Failed) unless it can be 3838 determined that the state-changing request has already 3839 succeeded (see Section 8.2.3) 3841 2. When recipient is the origin server, If-Match is not present, and 3842 If-Unmodified-Since is present, evaluate the If-Unmodified-Since 3843 precondition: 3845 * if true, continue to step 3 3847 * if false, respond 412 (Precondition Failed) unless it can be 3848 determined that the state-changing request has already 3849 succeeded (see Section 8.2.6) 3851 3. When If-None-Match is present, evaluate the If-None-Match 3852 precondition: 3854 * if true, continue to step 5 3856 * if false for GET/HEAD, respond 304 (Not Modified) 3858 * if false for other methods, respond 412 (Precondition Failed) 3860 4. When the method is GET or HEAD, If-None-Match is not present, and 3861 If-Modified-Since is present, evaluate the If-Modified-Since 3862 precondition: 3864 * if true, continue to step 5 3866 * if false, respond 304 (Not Modified) 3868 5. When the method is GET and both Range and If-Range are present, 3869 evaluate the If-Range precondition: 3871 * if the validator matches and the Range specification is 3872 applicable to the selected representation, respond 206 3873 (Partial Content) 3875 6. Otherwise, 3877 * all conditions are met, so perform the requested action and 3878 respond according to its success or failure. 3880 Any extension to HTTP/1.1 that defines additional conditional request 3881 header fields ought to define its own expectations regarding the 3882 order for evaluating such fields in relation to those defined in this 3883 document and other conditionals that might be found in practice. 3885 8.2.3. If-Match 3887 The "If-Match" header field makes the request method conditional on 3888 the recipient origin server either having at least one current 3889 representation of the target resource, when the field-value is "*", 3890 or having a current representation of the target resource that has an 3891 entity-tag matching a member of the list of entity-tags provided in 3892 the field-value. 3894 An origin server MUST use the strong comparison function when 3895 comparing entity-tags for If-Match (Section 10.2.3.2), since the 3896 client intends this precondition to prevent the method from being 3897 applied if there have been any changes to the representation data. 3899 If-Match = "*" / 1#entity-tag 3901 Examples: 3903 If-Match: "xyzzy" 3904 If-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" 3905 If-Match: * 3907 If-Match is most often used with state-changing methods (e.g., POST, 3908 PUT, DELETE) to prevent accidental overwrites when multiple user 3909 agents might be acting in parallel on the same resource (i.e., to 3910 prevent the "lost update" problem). It can also be used with safe 3911 methods to abort a request if the selected representation does not 3912 match one already stored (or partially stored) from a prior request. 3914 An origin server that receives an If-Match header field MUST evaluate 3915 the condition prior to performing the method (Section 8.2.1). If the 3916 field-value is "*", the condition is false if the origin server does 3917 not have a current representation for the target resource. If the 3918 field-value is a list of entity-tags, the condition is false if none 3919 of the listed tags match the entity-tag of the selected 3920 representation. 3922 An origin server MUST NOT perform the requested method if a received 3923 If-Match condition evaluates to false; instead, the origin server 3924 MUST respond with either a) the 412 (Precondition Failed) status code 3925 or b) one of the 2xx (Successful) status codes if the origin server 3926 has verified that a state change is being requested and the final 3927 state is already reflected in the current state of the target 3928 resource (i.e., the change requested by the user agent has already 3929 succeeded, but the user agent might not be aware of it, perhaps 3930 because the prior response was lost or a compatible change was made 3931 by some other user agent). In the latter case, the origin server 3932 MUST NOT send a validator header field in the response unless it can 3933 verify that the request is a duplicate of an immediately prior change 3934 made by the same user agent. 3936 The If-Match header field can be ignored by caches and intermediaries 3937 because it is not applicable to a stored response. 3939 8.2.4. If-None-Match 3941 The "If-None-Match" header field makes the request method conditional 3942 on a recipient cache or origin server either not having any current 3943 representation of the target resource, when the field-value is "*", 3944 or having a selected representation with an entity-tag that does not 3945 match any of those listed in the field-value. 3947 A recipient MUST use the weak comparison function when comparing 3948 entity-tags for If-None-Match (Section 10.2.3.2), since weak entity- 3949 tags can be used for cache validation even if there have been changes 3950 to the representation data. 3952 If-None-Match = "*" / 1#entity-tag 3954 Examples: 3956 If-None-Match: "xyzzy" 3957 If-None-Match: W/"xyzzy" 3958 If-None-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" 3959 If-None-Match: W/"xyzzy", W/"r2d2xxxx", W/"c3piozzzz" 3960 If-None-Match: * 3962 If-None-Match is primarily used in conditional GET requests to enable 3963 efficient updates of cached information with a minimum amount of 3964 transaction overhead. When a client desires to update one or more 3965 stored responses that have entity-tags, the client SHOULD generate an 3966 If-None-Match header field containing a list of those entity-tags 3967 when making a GET request; this allows recipient servers to send a 3968 304 (Not Modified) response to indicate when one of those stored 3969 responses matches the selected representation. 3971 If-None-Match can also be used with a value of "*" to prevent an 3972 unsafe request method (e.g., PUT) from inadvertently modifying an 3973 existing representation of the target resource when the client 3974 believes that the resource does not have a current representation 3975 (Section 7.2.1). This is a variation on the "lost update" problem 3976 that might arise if more than one client attempts to create an 3977 initial representation for the target resource. 3979 An origin server that receives an If-None-Match header field MUST 3980 evaluate the condition prior to performing the method 3981 (Section 8.2.1). If the field-value is "*", the condition is false 3982 if the origin server has a current representation for the target 3983 resource. If the field-value is a list of entity-tags, the condition 3984 is false if one of the listed tags match the entity-tag of the 3985 selected representation. 3987 An origin server MUST NOT perform the requested method if the 3988 condition evaluates to false; instead, the origin server MUST respond 3989 with either a) the 304 (Not Modified) status code if the request 3990 method is GET or HEAD or b) the 412 (Precondition Failed) status code 3991 for all other request methods. 3993 Requirements on cache handling of a received If-None-Match header 3994 field are defined in Section 4.3.2 of [Caching]. 3996 8.2.5. If-Modified-Since 3998 The "If-Modified-Since" header field makes a GET or HEAD request 3999 method conditional on the selected representation's modification date 4000 being more recent than the date provided in the field-value. 4001 Transfer of the selected representation's data is avoided if that 4002 data has not changed. 4004 If-Modified-Since = HTTP-date 4006 An example of the field is: 4008 If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT 4010 A recipient MUST ignore If-Modified-Since if the request contains an 4011 If-None-Match header field; the condition in If-None-Match is 4012 considered to be a more accurate replacement for the condition in If- 4013 Modified-Since, and the two are only combined for the sake of 4014 interoperating with older intermediaries that might not implement If- 4015 None-Match. 4017 A recipient MUST ignore the If-Modified-Since header field if the 4018 received field-value is not a valid HTTP-date, or if the request 4019 method is neither GET nor HEAD. 4021 A recipient MUST interpret an If-Modified-Since field-value's 4022 timestamp in terms of the origin server's clock. 4024 If-Modified-Since is typically used for two distinct purposes: 1) to 4025 allow efficient updates of a cached representation that does not have 4026 an entity-tag and 2) to limit the scope of a web traversal to 4027 resources that have recently changed. 4029 When used for cache updates, a cache will typically use the value of 4030 the cached message's Last-Modified field to generate the field value 4031 of If-Modified-Since. This behavior is most interoperable for cases 4032 where clocks are poorly synchronized or when the server has chosen to 4033 only honor exact timestamp matches (due to a problem with Last- 4034 Modified dates that appear to go "back in time" when the origin 4035 server's clock is corrected or a representation is restored from an 4036 archived backup). However, caches occasionally generate the field 4037 value based on other data, such as the Date header field of the 4038 cached message or the local clock time that the message was received, 4039 particularly when the cached message does not contain a Last-Modified 4040 field. 4042 When used for limiting the scope of retrieval to a recent time 4043 window, a user agent will generate an If-Modified-Since field value 4044 based on either its own local clock or a Date header field received 4045 from the server in a prior response. Origin servers that choose an 4046 exact timestamp match based on the selected representation's Last- 4047 Modified field will not be able to help the user agent limit its data 4048 transfers to only those changed during the specified window. 4050 An origin server that receives an If-Modified-Since header field 4051 SHOULD evaluate the condition prior to performing the method 4052 (Section 8.2.1). The origin server SHOULD NOT perform the requested 4053 method if the selected representation's last modification date is 4054 earlier than or equal to the date provided in the field-value; 4055 instead, the origin server SHOULD generate a 304 (Not Modified) 4056 response, including only those metadata that are useful for 4057 identifying or updating a previously cached response. 4059 Requirements on cache handling of a received If-Modified-Since header 4060 field are defined in Section 4.3.2 of [Caching]. 4062 8.2.6. If-Unmodified-Since 4064 The "If-Unmodified-Since" header field makes the request method 4065 conditional on the selected representation's last modification date 4066 being earlier than or equal to the date provided in the field-value. 4067 This field accomplishes the same purpose as If-Match for cases where 4068 the user agent does not have an entity-tag for the representation. 4070 If-Unmodified-Since = HTTP-date 4072 An example of the field is: 4074 If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT 4076 A recipient MUST ignore If-Unmodified-Since if the request contains 4077 an If-Match header field; the condition in If-Match is considered to 4078 be a more accurate replacement for the condition in If-Unmodified- 4079 Since, and the two are only combined for the sake of interoperating 4080 with older intermediaries that might not implement If-Match. 4082 A recipient MUST ignore the If-Unmodified-Since header field if the 4083 received field-value is not a valid HTTP-date. 4085 A recipient MUST interpret an If-Unmodified-Since field-value's 4086 timestamp in terms of the origin server's clock. 4088 If-Unmodified-Since is most often used with state-changing methods 4089 (e.g., POST, PUT, DELETE) to prevent accidental overwrites when 4090 multiple user agents might be acting in parallel on a resource that 4091 does not supply entity-tags with its representations (i.e., to 4092 prevent the "lost update" problem). It can also be used with safe 4093 methods to abort a request if the selected representation does not 4094 match one already stored (or partially stored) from a prior request. 4096 An origin server that receives an If-Unmodified-Since header field 4097 MUST evaluate the condition prior to performing the method 4098 (Section 8.2.1). The origin server MUST NOT perform the requested 4099 method if the selected representation's last modification date is 4100 more recent than the date provided in the field-value; instead the 4101 origin server MUST respond with either a) the 412 (Precondition 4102 Failed) status code or b) one of the 2xx (Successful) status codes if 4103 the origin server has verified that a state change is being requested 4104 and the final state is already reflected in the current state of the 4105 target resource (i.e., the change requested by the user agent has 4106 already succeeded, but the user agent might not be aware of that 4107 because the prior response message was lost or a compatible change 4108 was made by some other user agent). In the latter case, the origin 4109 server MUST NOT send a validator header field in the response unless 4110 it can verify that the request is a duplicate of an immediately prior 4111 change made by the same user agent. 4113 The If-Unmodified-Since header field can be ignored by caches and 4114 intermediaries because it is not applicable to a stored response. 4116 8.2.7. If-Range 4118 The "If-Range" header field provides a special conditional request 4119 mechanism that is similar to the If-Match and If-Unmodified-Since 4120 header fields but that instructs the recipient to ignore the Range 4121 header field if the validator doesn't match, resulting in transfer of 4122 the new selected representation instead of a 412 (Precondition 4123 Failed) response. 4125 If a client has a partial copy of a representation and wishes to have 4126 an up-to-date copy of the entire representation, it could use the 4127 Range header field with a conditional GET (using either or both of 4128 If-Unmodified-Since and If-Match.) However, if the precondition 4129 fails because the representation has been modified, the client would 4130 then have to make a second request to obtain the entire current 4131 representation. 4133 The "If-Range" header field allows a client to "short-circuit" the 4134 second request. Informally, its meaning is as follows: if the 4135 representation is unchanged, send me the part(s) that I am requesting 4136 in Range; otherwise, send me the entire representation. 4138 If-Range = entity-tag / HTTP-date 4140 A client MUST NOT generate an If-Range header field in a request that 4141 does not contain a Range header field. A server MUST ignore an If- 4142 Range header field received in a request that does not contain a 4143 Range header field. An origin server MUST ignore an If-Range header 4144 field received in a request for a target resource that does not 4145 support Range requests. 4147 A client MUST NOT generate an If-Range header field containing an 4148 entity-tag that is marked as weak. A client MUST NOT generate an If- 4149 Range header field containing an HTTP-date unless the client has no 4150 entity-tag for the corresponding representation and the date is a 4151 strong validator in the sense defined by Section 10.2.2.2. 4153 A server that evaluates an If-Range precondition MUST use the strong 4154 comparison function when comparing entity-tags (Section 10.2.3.2) and 4155 MUST evaluate the condition as false if an HTTP-date validator is 4156 provided that is not a strong validator in the sense defined by 4157 Section 10.2.2.2. A valid entity-tag can be distinguished from a 4158 valid HTTP-date by examining the first two characters for a DQUOTE. 4160 If the validator given in the If-Range header field matches the 4161 current validator for the selected representation of the target 4162 resource, then the server SHOULD process the Range header field as 4163 requested. If the validator does not match, the server MUST ignore 4164 the Range header field. Note that this comparison by exact match, 4165 including when the validator is an HTTP-date, differs from the 4166 "earlier than or equal to" comparison used when evaluating an If- 4167 Unmodified-Since conditional. 4169 8.3. Range 4171 The "Range" header field on a GET request modifies the method 4172 semantics to request transfer of only one or more subranges of the 4173 selected representation data, rather than the entire selected 4174 representation data. 4176 Range = byte-ranges-specifier / other-ranges-specifier 4177 other-ranges-specifier = other-range-unit "=" other-range-set 4178 other-range-set = 1*VCHAR 4180 Clients often encounter interrupted data transfers as a result of 4181 canceled requests or dropped connections. When a client has stored a 4182 partial representation, it is desirable to request the remainder of 4183 that representation in a subsequent request rather than transfer the 4184 entire representation. Likewise, devices with limited local storage 4185 might benefit from being able to request only a subset of a larger 4186 representation, such as a single page of a very large document, or 4187 the dimensions of an embedded image. 4189 Range requests are an OPTIONAL feature of HTTP, designed so that 4190 recipients not implementing this feature (or not supporting it for 4191 the target resource) can respond as if it is a normal GET request 4192 without impacting interoperability. Partial responses are indicated 4193 by a distinct status code to not be mistaken for full responses by 4194 caches that might not implement the feature. 4196 A server MAY ignore the Range header field. However, origin servers 4197 and intermediate caches ought to support byte ranges when possible, 4198 since Range supports efficient recovery from partially failed 4199 transfers and partial retrieval of large representations. A server 4200 MUST ignore a Range header field received with a request method other 4201 than GET. 4203 Although the range request mechanism is designed to allow for 4204 extensible range types, this specification only defines requests for 4205 byte ranges. 4207 An origin server MUST ignore a Range header field that contains a 4208 range unit it does not understand. A proxy MAY discard a Range 4209 header field that contains a range unit it does not understand. 4211 A server that supports range requests MAY ignore or reject a Range 4212 header field that consists of more than two overlapping ranges, or a 4213 set of many small ranges that are not listed in ascending order, 4214 since both are indications of either a broken client or a deliberate 4215 denial-of-service attack (Section 12.13). A client SHOULD NOT 4216 request multiple ranges that are inherently less efficient to process 4217 and transfer than a single range that encompasses the same data. 4219 A client that is requesting multiple ranges SHOULD list those ranges 4220 in ascending order (the order in which they would typically be 4221 received in a complete representation) unless there is a specific 4222 need to request a later part earlier. For example, a user agent 4223 processing a large representation with an internal catalog of parts 4224 might need to request later parts first, particularly if the 4225 representation consists of pages stored in reverse order and the user 4226 agent wishes to transfer one page at a time. 4228 The Range header field is evaluated after evaluating the precondition 4229 header fields defined in Section 8.2, and only if the result in 4230 absence of the Range header field would be a 200 (OK) response. In 4231 other words, Range is ignored when a conditional GET would result in 4232 a 304 (Not Modified) response. 4234 The If-Range header field (Section 8.2.7) can be used as a 4235 precondition to applying the Range header field. 4237 If all of the preconditions are true, the server supports the Range 4238 header field for the target resource, and the specified range(s) are 4239 valid and satisfiable (as defined in Section 6.1.4.1), the server 4240 SHOULD send a 206 (Partial Content) response with a payload 4241 containing one or more partial representations that correspond to the 4242 satisfiable ranges requested. 4244 If all of the preconditions are true, the server supports the Range 4245 header field for the target resource, and the specified range(s) are 4246 invalid or unsatisfiable, the server SHOULD send a 416 (Range Not 4247 Satisfiable) response. 4249 8.4. Content Negotiation 4251 The following request header fields are sent by a user agent to 4252 engage in proactive negotiation of the response content, as defined 4253 in Section 6.4.1. The preferences sent in these fields apply to any 4254 content in the response, including representations of the target 4255 resource, representations of error or processing status, and 4256 potentially even the miscellaneous text strings that might appear 4257 within the protocol. 4259 +-------------------+---------------+ 4260 | Header Field Name | Defined in... | 4261 +-------------------+---------------+ 4262 | Accept | Section 8.4.2 | 4263 | Accept-Charset | Section 8.4.3 | 4264 | Accept-Encoding | Section 8.4.4 | 4265 | Accept-Language | Section 8.4.5 | 4266 +-------------------+---------------+ 4268 For each of these header fields, a request that does not contain it 4269 implies that the user agent has no preference on that axis of 4270 negotiation. If the header field is present in a request and none of 4271 the available representations for the response can be considered 4272 acceptable according to it, the origin server can either honor the 4273 header field by sending a 406 (Not Acceptable) response or disregard 4274 the header field by treating the response as if it is not subject to 4275 content negotiation for that request header field. This does not 4276 imply, however, that the client will be able to use the 4277 representation. 4279 Note: Sending these header fields makes it easier for a server to 4280 identify an individual by virtue of the user agent's request 4281 characteristics (Section 12.11). 4283 Each of these header fields defines a wildcard value (often, "*") to 4284 select unspecified values. If no wildcard is present, all values not 4285 explicitly mentioned in the field are considered "not acceptable" to 4286 the client. 4288 Note: In practice, using wildcards in content negotiation has limited 4289 practical value, because it is seldom useful to say, for example, "I 4290 prefer image/* more or less than (some other specific value)". 4291 Clients can explicitly request a 406 (Not Acceptable) response if a 4292 more preferred format is not available by sending Accept: */*;q=0, 4293 but they still need to be able to handle a different response, since 4294 the server is allowed to ignore their preference. 4296 8.4.1. Quality Values 4298 Many of the request header fields for proactive negotiation use a 4299 common parameter, named "q" (case-insensitive), to assign a relative 4300 "weight" to the preference for that associated kind of content. This 4301 weight is referred to as a "quality value" (or "qvalue") because the 4302 same parameter name is often used within server configurations to 4303 assign a weight to the relative quality of the various 4304 representations that can be selected for a resource. 4306 The weight is normalized to a real number in the range 0 through 1, 4307 where 0.001 is the least preferred and 1 is the most preferred; a 4308 value of 0 means "not acceptable". If no "q" parameter is present, 4309 the default weight is 1. 4311 weight = OWS ";" OWS "q=" qvalue 4312 qvalue = ( "0" [ "." 0*3DIGIT ] ) 4313 / ( "1" [ "." 0*3("0") ] ) 4315 A sender of qvalue MUST NOT generate more than three digits after the 4316 decimal point. User configuration of these values ought to be 4317 limited in the same fashion. 4319 8.4.2. Accept 4321 The "Accept" header field can be used by user agents to specify their 4322 preferences regarding response media types. For example, Accept 4323 header fields can be used to indicate that the request is 4324 specifically limited to a small set of desired types, as in the case 4325 of a request for an in-line image. 4327 Accept = #( media-range [ accept-params ] ) 4329 media-range = ( "*/*" 4330 / ( type "/" "*" ) 4331 / ( type "/" subtype ) 4332 ) *( OWS ";" OWS parameter ) 4333 accept-params = weight *( accept-ext ) 4334 accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] 4336 The asterisk "*" character is used to group media types into ranges, 4337 with "*/*" indicating all media types and "type/*" indicating all 4338 subtypes of that type. The media-range can include media type 4339 parameters that are applicable to that range. 4341 Each media-range might be followed by zero or more applicable media 4342 type parameters (e.g., charset), an optional "q" parameter for 4343 indicating a relative weight (Section 8.4.1), and then zero or more 4344 extension parameters. The "q" parameter is necessary if any 4345 extensions (accept-ext) are present, since it acts as a separator 4346 between the two parameter sets. 4348 Note: Use of the "q" parameter name to separate media type 4349 parameters from Accept extension parameters is due to historical 4350 practice. Although this prevents any media type parameter named 4351 "q" from being used with a media range, such an event is believed 4352 to be unlikely given the lack of any "q" parameters in the IANA 4353 media type registry and the rare usage of any media type 4354 parameters in Accept. Future media types are discouraged from 4355 registering any parameter named "q". 4357 The example 4359 Accept: audio/*; q=0.2, audio/basic 4361 is interpreted as "I prefer audio/basic, but send me any audio type 4362 if it is the best available after an 80% markdown in quality". 4364 A more elaborate example is 4366 Accept: text/plain; q=0.5, text/html, 4367 text/x-dvi; q=0.8, text/x-c 4369 Verbally, this would be interpreted as "text/html and text/x-c are 4370 the equally preferred media types, but if they do not exist, then 4371 send the text/x-dvi representation, and if that does not exist, send 4372 the text/plain representation". 4374 Media ranges can be overridden by more specific media ranges or 4375 specific media types. If more than one media range applies to a 4376 given type, the most specific reference has precedence. For example, 4378 Accept: text/*, text/plain, text/plain;format=flowed, */* 4380 have the following precedence: 4382 1. text/plain;format=flowed 4384 2. text/plain 4386 3. text/* 4388 4. */* 4390 The media type quality factor associated with a given type is 4391 determined by finding the media range with the highest precedence 4392 that matches the type. For example, 4394 Accept: text/*;q=0.3, text/html;q=0.7, text/html;level=1, 4395 text/html;level=2;q=0.4, */*;q=0.5 4397 would cause the following values to be associated: 4399 +-------------------+---------------+ 4400 | Media Type | Quality Value | 4401 +-------------------+---------------+ 4402 | text/html;level=1 | 1 | 4403 | text/html | 0.7 | 4404 | text/plain | 0.3 | 4405 | image/jpeg | 0.5 | 4406 | text/html;level=2 | 0.4 | 4407 | text/html;level=3 | 0.7 | 4408 +-------------------+---------------+ 4410 Note: A user agent might be provided with a default set of quality 4411 values for certain media ranges. However, unless the user agent is a 4412 closed system that cannot interact with other rendering agents, this 4413 default set ought to be configurable by the user. 4415 8.4.3. Accept-Charset 4417 The "Accept-Charset" header field can be sent by a user agent to 4418 indicate its preferences for charsets in textual response content. 4419 For example, this field allows user agents capable of understanding 4420 more comprehensive or special-purpose charsets to signal that 4421 capability to an origin server that is capable of representing 4422 information in those charsets. 4424 Accept-Charset = 1#( ( charset / "*" ) [ weight ] ) 4426 Charset names are defined in Section 6.1.1.1. A user agent MAY 4427 associate a quality value with each charset to indicate the user's 4428 relative preference for that charset, as defined in Section 8.4.1. 4429 An example is 4431 Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 4433 The special value "*", if present in the Accept-Charset field, 4434 matches every charset that is not mentioned elsewhere in the Accept- 4435 Charset field. 4437 Note: Accept-Charset is deprecated because UTF-8 has become nearly 4438 ubiquitous and sending a detailed list of user-preferred charsets 4439 wastes bandwidth, increases latency, and makes passive fingerprinting 4440 far too easy (Section 12.11). Most general-purpose user agents do 4441 not send Accept-Charset, unless specifically configured to do so. 4443 8.4.4. Accept-Encoding 4445 The "Accept-Encoding" header field can be used by user agents to 4446 indicate their preferences regarding response content-codings 4447 (Section 6.1.2). An "identity" token is used as a synonym for "no 4448 encoding" in order to communicate when no encoding is preferred. 4450 Accept-Encoding = #( codings [ weight ] ) 4451 codings = content-coding / "identity" / "*" 4453 Each codings value MAY be given an associated quality value 4454 representing the preference for that encoding, as defined in 4455 Section 8.4.1. The asterisk "*" symbol in an Accept-Encoding field 4456 matches any available content-coding not explicitly listed in the 4457 header field. 4459 For example, 4461 Accept-Encoding: compress, gzip 4462 Accept-Encoding: 4463 Accept-Encoding: * 4464 Accept-Encoding: compress;q=0.5, gzip;q=1.0 4465 Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0 4467 A server tests whether a content-coding for a given representation is 4468 acceptable using these rules: 4470 1. If no Accept-Encoding field is in the request, any content-coding 4471 is considered acceptable by the user agent. 4473 2. If the representation has no content-coding, then it is 4474 acceptable by default unless specifically excluded by the Accept- 4475 Encoding field stating either "identity;q=0" or "*;q=0" without a 4476 more specific entry for "identity". 4478 3. If the representation's content-coding is one of the content- 4479 codings listed in the Accept-Encoding field, then it is 4480 acceptable unless it is accompanied by a qvalue of 0. (As 4481 defined in Section 8.4.1, a qvalue of 0 means "not acceptable".) 4483 4. If multiple content-codings are acceptable, then the acceptable 4484 content-coding with the highest non-zero qvalue is preferred. 4486 An Accept-Encoding header field with a combined field-value that is 4487 empty implies that the user agent does not want any content-coding in 4488 response. If an Accept-Encoding header field is present in a request 4489 and none of the available representations for the response have a 4490 content-coding that is listed as acceptable, the origin server SHOULD 4491 send a response without any content-coding. 4493 Note: Most HTTP/1.0 applications do not recognize or obey qvalues 4494 associated with content-codings. This means that qvalues might 4495 not work and are not permitted with x-gzip or x-compress. 4497 8.4.5. Accept-Language 4499 The "Accept-Language" header field can be used by user agents to 4500 indicate the set of natural languages that are preferred in the 4501 response. Language tags are defined in Section 6.1.3. 4503 Accept-Language = 1#( language-range [ weight ] ) 4504 language-range = 4505 4507 Each language-range can be given an associated quality value 4508 representing an estimate of the user's preference for the languages 4509 specified by that range, as defined in Section 8.4.1. For example, 4511 Accept-Language: da, en-gb;q=0.8, en;q=0.7 4513 would mean: "I prefer Danish, but will accept British English and 4514 other types of English". 4516 Note that some recipients treat the order in which language tags are 4517 listed as an indication of descending priority, particularly for tags 4518 that are assigned equal quality values (no value is the same as q=1). 4519 However, this behavior cannot be relied upon. For consistency and to 4520 maximize interoperability, many user agents assign each language tag 4521 a unique quality value while also listing them in order of decreasing 4522 quality. Additional discussion of language priority lists can be 4523 found in Section 2.3 of [RFC4647]. 4525 For matching, Section 3 of [RFC4647] defines several matching 4526 schemes. Implementations can offer the most appropriate matching 4527 scheme for their requirements. The "Basic Filtering" scheme 4528 ([RFC4647], Section 3.3.1) is identical to the matching scheme that 4529 was previously defined for HTTP in Section 14.4 of [RFC2616]. 4531 It might be contrary to the privacy expectations of the user to send 4532 an Accept-Language header field with the complete linguistic 4533 preferences of the user in every request (Section 12.11). 4535 Since intelligibility is highly dependent on the individual user, 4536 user agents need to allow user control over the linguistic preference 4537 (either through configuration of the user agent itself or by 4538 defaulting to a user controllable system setting). A user agent that 4539 does not provide such control to the user MUST NOT send an Accept- 4540 Language header field. 4542 Note: User agents ought to provide guidance to users when setting 4543 a preference, since users are rarely familiar with the details of 4544 language matching as described above. For example, users might 4545 assume that on selecting "en-gb", they will be served any kind of 4546 English document if British English is not available. A user 4547 agent might suggest, in such a case, to add "en" to the list for 4548 better matching behavior. 4550 8.5. Authentication Credentials 4552 HTTP provides a general framework for access control and 4553 authentication, via an extensible set of challenge-response 4554 authentication schemes, which can be used by a server to challenge a 4555 client request and by a client to provide authentication information. 4557 Two header fields are used for carrying authentication credentials. 4558 Note that various custom mechanisms for user authentication use the 4559 Cookie header field for this purpose, as defined in [RFC6265]. 4561 +---------------------+---------------+ 4562 | Header Field Name | Defined in... | 4563 +---------------------+---------------+ 4564 | Authorization | Section 8.5.3 | 4565 | Proxy-Authorization | Section 8.5.4 | 4566 +---------------------+---------------+ 4568 8.5.1. Challenge and Response 4570 HTTP provides a simple challenge-response authentication framework 4571 that can be used by a server to challenge a client request and by a 4572 client to provide authentication information. It uses a case- 4573 insensitive token as a means to identify the authentication scheme, 4574 followed by additional information necessary for achieving 4575 authentication via that scheme. The latter can be either a comma- 4576 separated list of parameters or a single sequence of characters 4577 capable of holding base64-encoded information. 4579 Authentication parameters are name=value pairs, where the name token 4580 is matched case-insensitively, and each parameter name MUST only 4581 occur once per challenge. 4583 auth-scheme = token 4585 auth-param = token BWS "=" BWS ( token / quoted-string ) 4587 token68 = 1*( ALPHA / DIGIT / 4588 "-" / "." / "_" / "~" / "+" / "/" ) *"=" 4590 The token68 syntax allows the 66 unreserved URI characters 4591 ([RFC3986]), plus a few others, so that it can hold a base64, 4592 base64url (URL and filename safe alphabet), base32, or base16 (hex) 4593 encoding, with or without padding, but excluding whitespace 4594 ([RFC4648]). 4596 A 401 (Unauthorized) response message is used by an origin server to 4597 challenge the authorization of a user agent, including a WWW- 4598 Authenticate header field containing at least one challenge 4599 applicable to the requested resource. 4601 A 407 (Proxy Authentication Required) response message is used by a 4602 proxy to challenge the authorization of a client, including a Proxy- 4603 Authenticate header field containing at least one challenge 4604 applicable to the proxy for the requested resource. 4606 challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] 4608 Note: Many clients fail to parse a challenge that contains an 4609 unknown scheme. A workaround for this problem is to list well- 4610 supported schemes (such as "basic") first. 4612 A user agent that wishes to authenticate itself with an origin server 4613 -- usually, but not necessarily, after receiving a 401 (Unauthorized) 4614 -- can do so by including an Authorization header field with the 4615 request. 4617 A client that wishes to authenticate itself with a proxy -- usually, 4618 but not necessarily, after receiving a 407 (Proxy Authentication 4619 Required) -- can do so by including a Proxy-Authorization header 4620 field with the request. 4622 Both the Authorization field value and the Proxy-Authorization field 4623 value contain the client's credentials for the realm of the resource 4624 being requested, based upon a challenge received in a response 4625 (possibly at some point in the past). When creating their values, 4626 the user agent ought to do so by selecting the challenge with what it 4627 considers to be the most secure auth-scheme that it understands, 4628 obtaining credentials from the user as appropriate. Transmission of 4629 credentials within header field values implies significant security 4630 considerations regarding the confidentiality of the underlying 4631 connection, as described in Section 12.14.1. 4633 credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ] 4635 Upon receipt of a request for a protected resource that omits 4636 credentials, contains invalid credentials (e.g., a bad password) or 4637 partial credentials (e.g., when the authentication scheme requires 4638 more than one round trip), an origin server SHOULD send a 401 4639 (Unauthorized) response that contains a WWW-Authenticate header field 4640 with at least one (possibly new) challenge applicable to the 4641 requested resource. 4643 Likewise, upon receipt of a request that omits proxy credentials or 4644 contains invalid or partial proxy credentials, a proxy that requires 4645 authentication SHOULD generate a 407 (Proxy Authentication Required) 4646 response that contains a Proxy-Authenticate header field with at 4647 least one (possibly new) challenge applicable to the proxy. 4649 A server that receives valid credentials that are not adequate to 4650 gain access ought to respond with the 403 (Forbidden) status code 4651 (Section 9.5.4). 4653 HTTP does not restrict applications to this simple challenge-response 4654 framework for access authentication. Additional mechanisms can be 4655 used, such as authentication at the transport level or via message 4656 encapsulation, and with additional header fields specifying 4657 authentication information. However, such additional mechanisms are 4658 not defined by this specification. 4660 8.5.2. Protection Space (Realm) 4662 The "realm" authentication parameter is reserved for use by 4663 authentication schemes that wish to indicate a scope of protection. 4665 A protection space is defined by the canonical root URI (the scheme 4666 and authority components of the effective request URI; see 4667 Section 5.3) of the server being accessed, in combination with the 4668 realm value if present. These realms allow the protected resources 4669 on a server to be partitioned into a set of protection spaces, each 4670 with its own authentication scheme and/or authorization database. 4671 The realm value is a string, generally assigned by the origin server, 4672 that can have additional semantics specific to the authentication 4673 scheme. Note that a response can have multiple challenges with the 4674 same auth-scheme but with different realms. 4676 The protection space determines the domain over which credentials can 4677 be automatically applied. If a prior request has been authorized, 4678 the user agent MAY reuse the same credentials for all other requests 4679 within that protection space for a period of time determined by the 4680 authentication scheme, parameters, and/or user preferences (such as a 4681 configurable inactivity timeout). Unless specifically allowed by the 4682 authentication scheme, a single protection space cannot extend 4683 outside the scope of its server. 4685 For historical reasons, a sender MUST only generate the quoted-string 4686 syntax. Recipients might have to support both token and quoted- 4687 string syntax for maximum interoperability with existing clients that 4688 have been accepting both notations for a long time. 4690 8.5.3. Authorization 4692 The "Authorization" header field allows a user agent to authenticate 4693 itself with an origin server -- usually, but not necessarily, after 4694 receiving a 401 (Unauthorized) response. Its value consists of 4695 credentials containing the authentication information of the user 4696 agent for the realm of the resource being requested. 4698 Authorization = credentials 4700 If a request is authenticated and a realm specified, the same 4701 credentials are presumed to be valid for all other requests within 4702 this realm (assuming that the authentication scheme itself does not 4703 require otherwise, such as credentials that vary according to a 4704 challenge value or using synchronized clocks). 4706 A proxy forwarding a request MUST NOT modify any Authorization fields 4707 in that request. See Section 3.2 of [Caching] for details of and 4708 requirements pertaining to handling of the Authorization field by 4709 HTTP caches. 4711 8.5.4. Proxy-Authorization 4713 The "Proxy-Authorization" header field allows the client to identify 4714 itself (or its user) to a proxy that requires authentication. Its 4715 value consists of credentials containing the authentication 4716 information of the client for the proxy and/or realm of the resource 4717 being requested. 4719 Proxy-Authorization = credentials 4721 Unlike Authorization, the Proxy-Authorization header field applies 4722 only to the next inbound proxy that demanded authentication using the 4723 Proxy-Authenticate field. When multiple proxies are used in a chain, 4724 the Proxy-Authorization header field is consumed by the first inbound 4725 proxy that was expecting to receive credentials. A proxy MAY relay 4726 the credentials from the client request to the next proxy if that is 4727 the mechanism by which the proxies cooperatively authenticate a given 4728 request. 4730 8.5.5. Authentication Scheme Extensibility 4732 Aside from the general framework, this document does not specify any 4733 authentication schemes. New and existing authentication schemes are 4734 specified independently and ought to be registered within the 4735 "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry". 4736 For example, the "basic" and "digest" authentication schemes are 4737 defined by RFC 7617 and RFC 7616, respectively. 4739 8.5.5.1. Authentication Scheme Registry 4741 The "Hypertext Transfer Protocol (HTTP) Authentication Scheme 4742 Registry" defines the namespace for the authentication schemes in 4743 challenges and credentials. It is maintained at 4744 . 4746 Registrations MUST include the following fields: 4748 o Authentication Scheme Name 4750 o Pointer to specification text 4752 o Notes (optional) 4754 Values to be added to this namespace require IETF Review (see 4755 [RFC8126], Section 4.8). 4757 8.5.5.2. Considerations for New Authentication Schemes 4759 There are certain aspects of the HTTP Authentication framework that 4760 put constraints on how new authentication schemes can work: 4762 o HTTP authentication is presumed to be stateless: all of the 4763 information necessary to authenticate a request MUST be provided 4764 in the request, rather than be dependent on the server remembering 4765 prior requests. Authentication based on, or bound to, the 4766 underlying connection is outside the scope of this specification 4767 and inherently flawed unless steps are taken to ensure that the 4768 connection cannot be used by any party other than the 4769 authenticated user (see Section 2.2). 4771 o The authentication parameter "realm" is reserved for defining 4772 protection spaces as described in Section 8.5.2. New schemes MUST 4773 NOT use it in a way incompatible with that definition. 4775 o The "token68" notation was introduced for compatibility with 4776 existing authentication schemes and can only be used once per 4777 challenge or credential. Thus, new schemes ought to use the auth- 4778 param syntax instead, because otherwise future extensions will be 4779 impossible. 4781 o The parsing of challenges and credentials is defined by this 4782 specification and cannot be modified by new authentication 4783 schemes. When the auth-param syntax is used, all parameters ought 4784 to support both token and quoted-string syntax, and syntactical 4785 constraints ought to be defined on the field value after parsing 4786 (i.e., quoted-string processing). This is necessary so that 4787 recipients can use a generic parser that applies to all 4788 authentication schemes. 4790 Note: The fact that the value syntax for the "realm" parameter is 4791 restricted to quoted-string was a bad design choice not to be 4792 repeated for new parameters. 4794 o Definitions of new schemes ought to define the treatment of 4795 unknown extension parameters. In general, a "must-ignore" rule is 4796 preferable to a "must-understand" rule, because otherwise it will 4797 be hard to introduce new parameters in the presence of legacy 4798 recipients. Furthermore, it's good to describe the policy for 4799 defining new parameters (such as "update the specification" or 4800 "use this registry"). 4802 o Authentication schemes need to document whether they are usable in 4803 origin-server authentication (i.e., using WWW-Authenticate), and/ 4804 or proxy authentication (i.e., using Proxy-Authenticate). 4806 o The credentials carried in an Authorization header field are 4807 specific to the user agent and, therefore, have the same effect on 4808 HTTP caches as the "private" Cache-Control response directive 4809 (Section 5.2.2.6 of [Caching]), within the scope of the request in 4810 which they appear. 4812 Therefore, new authentication schemes that choose not to carry 4813 credentials in the Authorization header field (e.g., using a newly 4814 defined header field) will need to explicitly disallow caching, by 4815 mandating the use of Cache-Control response directives (e.g., 4816 "private"). 4818 o Schemes using Authentication-Info, Proxy-Authentication-Info, or 4819 any other authentication related response header field need to 4820 consider and document the related security considerations (see 4821 Section 12.14.4). 4823 8.6. Request Context 4825 The following request header fields provide additional information 4826 about the request context, including information about the user, user 4827 agent, and resource behind the request. 4829 +-------------------+---------------+ 4830 | Header Field Name | Defined in... | 4831 +-------------------+---------------+ 4832 | From | Section 8.6.1 | 4833 | Referer | Section 8.6.2 | 4834 | User-Agent | Section 8.6.3 | 4835 +-------------------+---------------+ 4837 8.6.1. From 4839 The "From" header field contains an Internet email address for a 4840 human user who controls the requesting user agent. The address ought 4841 to be machine-usable, as defined by "mailbox" in Section 3.4 of 4842 [RFC5322]: 4844 From = mailbox 4846 mailbox = 4848 An example is: 4850 From: webmaster@example.org 4852 The From header field is rarely sent by non-robotic user agents. A 4853 user agent SHOULD NOT send a From header field without explicit 4854 configuration by the user, since that might conflict with the user's 4855 privacy interests or their site's security policy. 4857 A robotic user agent SHOULD send a valid From header field so that 4858 the person responsible for running the robot can be contacted if 4859 problems occur on servers, such as if the robot is sending excessive, 4860 unwanted, or invalid requests. 4862 A server SHOULD NOT use the From header field for access control or 4863 authentication, since most recipients will assume that the field 4864 value is public information. 4866 8.6.2. Referer 4868 The "Referer" [sic] header field allows the user agent to specify a 4869 URI reference for the resource from which the target URI was obtained 4870 (i.e., the "referrer", though the field name is misspelled). A user 4871 agent MUST NOT include the fragment and userinfo components of the 4872 URI reference [RFC3986], if any, when generating the Referer field 4873 value. 4875 Referer = absolute-URI / partial-URI 4877 The Referer header field allows servers to generate back-links to 4878 other resources for simple analytics, logging, optimized caching, 4879 etc. It also allows obsolete or mistyped links to be found for 4880 maintenance. Some servers use the Referer header field as a means of 4881 denying links from other sites (so-called "deep linking") or 4882 restricting cross-site request forgery (CSRF), but not all requests 4883 contain it. 4885 Example: 4887 Referer: http://www.example.org/hypertext/Overview.html 4889 If the target URI was obtained from a source that does not have its 4890 own URI (e.g., input from the user keyboard, or an entry within the 4891 user's bookmarks/favorites), the user agent MUST either exclude the 4892 Referer field or send it with a value of "about:blank". 4894 The Referer field has the potential to reveal information about the 4895 request context or browsing history of the user, which is a privacy 4896 concern if the referring resource's identifier reveals personal 4897 information (such as an account name) or a resource that is supposed 4898 to be confidential (such as behind a firewall or internal to a 4899 secured service). Most general-purpose user agents do not send the 4900 Referer header field when the referring resource is a local "file" or 4901 "data" URI. A user agent MUST NOT send a Referer header field in an 4902 unsecured HTTP request if the referring page was received with a 4903 secure protocol. See Section 12.8 for additional security 4904 considerations. 4906 Some intermediaries have been known to indiscriminately remove 4907 Referer header fields from outgoing requests. This has the 4908 unfortunate side effect of interfering with protection against CSRF 4909 attacks, which can be far more harmful to their users. 4910 Intermediaries and user agent extensions that wish to limit 4911 information disclosure in Referer ought to restrict their changes to 4912 specific edits, such as replacing internal domain names with 4913 pseudonyms or truncating the query and/or path components. An 4914 intermediary SHOULD NOT modify or delete the Referer header field 4915 when the field value shares the same scheme and host as the request 4916 target. 4918 8.6.3. User-Agent 4920 The "User-Agent" header field contains information about the user 4921 agent originating the request, which is often used by servers to help 4922 identify the scope of reported interoperability problems, to work 4923 around or tailor responses to avoid particular user agent 4924 limitations, and for analytics regarding browser or operating system 4925 use. A user agent SHOULD send a User-Agent field in each request 4926 unless specifically configured not to do so. 4928 User-Agent = product *( RWS ( product / comment ) ) 4930 The User-Agent field-value consists of one or more product 4931 identifiers, each followed by zero or more comments (Section 5 of 4932 [Messaging]), which together identify the user agent software and its 4933 significant subproducts. By convention, the product identifiers are 4934 listed in decreasing order of their significance for identifying the 4935 user agent software. Each product identifier consists of a name and 4936 optional version. 4938 product = token ["/" product-version] 4939 product-version = token 4941 A sender SHOULD limit generated product identifiers to what is 4942 necessary to identify the product; a sender MUST NOT generate 4943 advertising or other nonessential information within the product 4944 identifier. A sender SHOULD NOT generate information in product- 4945 version that is not a version identifier (i.e., successive versions 4946 of the same product name ought to differ only in the product-version 4947 portion of the product identifier). 4949 Example: 4951 User-Agent: CERN-LineMode/2.15 libwww/2.17b3 4953 A user agent SHOULD NOT generate a User-Agent field containing 4954 needlessly fine-grained detail and SHOULD limit the addition of 4955 subproducts by third parties. Overly long and detailed User-Agent 4956 field values increase request latency and the risk of a user being 4957 identified against their wishes ("fingerprinting"). 4959 Likewise, implementations are encouraged not to use the product 4960 tokens of other implementations in order to declare compatibility 4961 with them, as this circumvents the purpose of the field. If a user 4962 agent masquerades as a different user agent, recipients can assume 4963 that the user intentionally desires to see responses tailored for 4964 that identified user agent, even if they might not work as well for 4965 the actual user agent being used. 4967 9. Response Status Codes 4969 The (response) status code is a three-digit integer code giving the 4970 result of the attempt to understand and satisfy the request. 4972 HTTP status codes are extensible. HTTP clients are not required to 4973 understand the meaning of all registered status codes, though such 4974 understanding is obviously desirable. However, a client MUST 4975 understand the class of any status code, as indicated by the first 4976 digit, and treat an unrecognized status code as being equivalent to 4977 the x00 status code of that class, with the exception that a 4978 recipient MUST NOT cache a response with an unrecognized status code. 4980 For example, if an unrecognized status code of 471 is received by a 4981 client, the client can assume that there was something wrong with its 4982 request and treat the response as if it had received a 400 (Bad 4983 Request) status code. The response message will usually contain a 4984 representation that explains the status. 4986 The first digit of the status code defines the class of response. 4987 The last two digits do not have any categorization role. There are 4988 five values for the first digit: 4990 o 1xx (Informational): The request was received, continuing process 4992 o 2xx (Successful): The request was successfully received, 4993 understood, and accepted 4995 o 3xx (Redirection): Further action needs to be taken in order to 4996 complete the request 4998 o 4xx (Client Error): The request contains bad syntax or cannot be 4999 fulfilled 5001 o 5xx (Server Error): The server failed to fulfill an apparently 5002 valid request 5004 9.1. Overview of Status Codes 5006 The status codes listed below are defined in this specification. The 5007 reason phrases listed here are only recommendations -- they can be 5008 replaced by local equivalents without affecting the protocol. 5010 Responses with status codes that are defined as cacheable by default 5011 (e.g., 200, 203, 204, 206, 300, 301, 404, 405, 410, 414, and 501 in 5012 this specification) can be reused by a cache with heuristic 5013 expiration unless otherwise indicated by the method definition or 5014 explicit cache controls [Caching]; all other status codes are not 5015 cacheable by default. 5017 +-------+-------------------------------+-----------------+ 5018 | Value | Description | Reference | 5019 +-------+-------------------------------+-----------------+ 5020 | 100 | Continue | Section 9.2.1 | 5021 | 101 | Switching Protocols | Section 9.2.2 | 5022 | 200 | OK | Section 9.3.1 | 5023 | 201 | Created | Section 9.3.2 | 5024 | 202 | Accepted | Section 9.3.3 | 5025 | 203 | Non-Authoritative Information | Section 9.3.4 | 5026 | 204 | No Content | Section 9.3.5 | 5027 | 205 | Reset Content | Section 9.3.6 | 5028 | 206 | Partial Content | Section 9.3.7 | 5029 | 300 | Multiple Choices | Section 9.4.1 | 5030 | 301 | Moved Permanently | Section 9.4.2 | 5031 | 302 | Found | Section 9.4.3 | 5032 | 303 | See Other | Section 9.4.4 | 5033 | 304 | Not Modified | Section 9.4.5 | 5034 | 305 | Use Proxy | Section 9.4.6 | 5035 | 306 | (Unused) | Section 9.4.7 | 5036 | 307 | Temporary Redirect | Section 9.4.8 | 5037 | 308 | Permanent Redirect | Section 9.4.9 | 5038 | 400 | Bad Request | Section 9.5.1 | 5039 | 401 | Unauthorized | Section 9.5.2 | 5040 | 402 | Payment Required | Section 9.5.3 | 5041 | 403 | Forbidden | Section 9.5.4 | 5042 | 404 | Not Found | Section 9.5.5 | 5043 | 405 | Method Not Allowed | Section 9.5.6 | 5044 | 406 | Not Acceptable | Section 9.5.7 | 5045 | 407 | Proxy Authentication Required | Section 9.5.8 | 5046 | 408 | Request Timeout | Section 9.5.9 | 5047 | 409 | Conflict | Section 9.5.10 | 5048 | 410 | Gone | Section 9.5.11 | 5049 | 411 | Length Required | Section 9.5.12 | 5050 | 412 | Precondition Failed | Section 9.5.13 | 5051 | 413 | Payload Too Large | Section 9.5.14 | 5052 | 414 | URI Too Long | Section 9.5.15 | 5053 | 415 | Unsupported Media Type | Section 9.5.16 | 5054 | 416 | Range Not Satisfiable | Section 9.5.17 | 5055 | 417 | Expectation Failed | Section 9.5.18 | 5056 | 418 | (Unused) | Section 9.5.19 | 5057 | 422 | Unprocessable Payload | Section 9.5.20 | 5058 | 426 | Upgrade Required | Section 9.5.21 | 5059 | 500 | Internal Server Error | Section 9.6.1 | 5060 | 501 | Not Implemented | Section 9.6.2 | 5061 | 502 | Bad Gateway | Section 9.6.3 | 5062 | 503 | Service Unavailable | Section 9.6.4 | 5063 | 504 | Gateway Timeout | Section 9.6.5 | 5064 | 505 | HTTP Version Not Supported | Section 9.6.6 | 5065 +-------+-------------------------------+-----------------+ 5067 Table 6 5069 Note that this list is not exhaustive -- it does not include 5070 extension status codes defined in other specifications (Section 9.7). 5072 9.2. Informational 1xx 5074 The 1xx (Informational) class of status code indicates an interim 5075 response for communicating connection status or request progress 5076 prior to completing the requested action and sending a final 5077 response. 1xx responses are terminated by the first empty line after 5078 the status-line (the empty line signaling the end of the header 5079 section). Since HTTP/1.0 did not define any 1xx status codes, a 5080 server MUST NOT send a 1xx response to an HTTP/1.0 client. 5082 A client MUST be able to parse one or more 1xx responses received 5083 prior to a final response, even if the client does not expect one. A 5084 user agent MAY ignore unexpected 1xx responses. 5086 A proxy MUST forward 1xx responses unless the proxy itself requested 5087 the generation of the 1xx response. For example, if a proxy adds an 5088 "Expect: 100-continue" field when it forwards a request, then it need 5089 not forward the corresponding 100 (Continue) response(s). 5091 9.2.1. 100 Continue 5093 The 100 (Continue) status code indicates that the initial part of a 5094 request has been received and has not yet been rejected by the 5095 server. The server intends to send a final response after the 5096 request has been fully received and acted upon. 5098 When the request contains an Expect header field that includes a 5099 100-continue expectation, the 100 response indicates that the server 5100 wishes to receive the request payload body, as described in 5101 Section 8.1.1. The client ought to continue sending the request and 5102 discard the 100 response. 5104 If the request did not contain an Expect header field containing the 5105 100-continue expectation, the client can simply discard this interim 5106 response. 5108 9.2.2. 101 Switching Protocols 5110 The 101 (Switching Protocols) status code indicates that the server 5111 understands and is willing to comply with the client's request, via 5112 the Upgrade header field (Section 9.8 of [Messaging]), for a change 5113 in the application protocol being used on this connection. The 5114 server MUST generate an Upgrade header field in the response that 5115 indicates which protocol(s) will be switched to immediately after the 5116 empty line that terminates the 101 response. 5118 It is assumed that the server will only agree to switch protocols 5119 when it is advantageous to do so. For example, switching to a newer 5120 version of HTTP might be advantageous over older versions, and 5121 switching to a real-time, synchronous protocol might be advantageous 5122 when delivering resources that use such features. 5124 9.3. Successful 2xx 5126 The 2xx (Successful) class of status code indicates that the client's 5127 request was successfully received, understood, and accepted. 5129 9.3.1. 200 OK 5131 The 200 (OK) status code indicates that the request has succeeded. 5132 The payload sent in a 200 response depends on the request method. 5133 For the methods defined by this specification, the intended meaning 5134 of the payload can be summarized as: 5136 GET a representation of the target resource; 5137 HEAD the same representation as GET, but without the representation 5138 data; 5140 POST a representation of the status of, or results obtained from, 5141 the action; 5143 PUT, DELETE a representation of the status of the action; 5145 OPTIONS a representation of the communications options; 5147 TRACE a representation of the request message as received by the end 5148 server. 5150 Aside from responses to CONNECT, a 200 response always has a payload, 5151 though an origin server MAY generate a payload body of zero length. 5152 If no payload is desired, an origin server ought to send 204 (No 5153 Content) instead. For CONNECT, no payload is allowed because the 5154 successful result is a tunnel, which begins immediately after the 200 5155 response header section. 5157 A 200 response is cacheable by default; i.e., unless otherwise 5158 indicated by the method definition or explicit cache controls (see 5159 Section 4.2.2 of [Caching]). 5161 9.3.2. 201 Created 5163 The 201 (Created) status code indicates that the request has been 5164 fulfilled and has resulted in one or more new resources being 5165 created. The primary resource created by the request is identified 5166 by either a Location header field in the response or, if no Location 5167 field is received, by the effective request URI. 5169 The 201 response payload typically describes and links to the 5170 resource(s) created. See Section 10.2 for a discussion of the 5171 meaning and purpose of validator header fields, such as ETag and 5172 Last-Modified, in a 201 response. 5174 9.3.3. 202 Accepted 5176 The 202 (Accepted) status code indicates that the request has been 5177 accepted for processing, but the processing has not been completed. 5178 The request might or might not eventually be acted upon, as it might 5179 be disallowed when processing actually takes place. There is no 5180 facility in HTTP for re-sending a status code from an asynchronous 5181 operation. 5183 The 202 response is intentionally noncommittal. Its purpose is to 5184 allow a server to accept a request for some other process (perhaps a 5185 batch-oriented process that is only run once per day) without 5186 requiring that the user agent's connection to the server persist 5187 until the process is completed. The representation sent with this 5188 response ought to describe the request's current status and point to 5189 (or embed) a status monitor that can provide the user with an 5190 estimate of when the request will be fulfilled. 5192 9.3.4. 203 Non-Authoritative Information 5194 The 203 (Non-Authoritative Information) status code indicates that 5195 the request was successful but the enclosed payload has been modified 5196 from that of the origin server's 200 (OK) response by a transforming 5197 proxy (Section 5.5.2). This status code allows the proxy to notify 5198 recipients when a transformation has been applied, since that 5199 knowledge might impact later decisions regarding the content. For 5200 example, future cache validation requests for the content might only 5201 be applicable along the same request path (through the same proxies). 5203 The 203 response is similar to the Warning code of 214 Transformation 5204 Applied (Section 5.5 of [Caching]), which has the advantage of being 5205 applicable to responses with any status code. 5207 A 203 response is cacheable by default; i.e., unless otherwise 5208 indicated by the method definition or explicit cache controls (see 5209 Section 4.2.2 of [Caching]). 5211 9.3.5. 204 No Content 5213 The 204 (No Content) status code indicates that the server has 5214 successfully fulfilled the request and that there is no additional 5215 content to send in the response payload body. Metadata in the 5216 response header fields refer to the target resource and its selected 5217 representation after the requested action was applied. 5219 For example, if a 204 status code is received in response to a PUT 5220 request and the response contains an ETag header field, then the PUT 5221 was successful and the ETag field-value contains the entity-tag for 5222 the new representation of that target resource. 5224 The 204 response allows a server to indicate that the action has been 5225 successfully applied to the target resource, while implying that the 5226 user agent does not need to traverse away from its current "document 5227 view" (if any). The server assumes that the user agent will provide 5228 some indication of the success to its user, in accord with its own 5229 interface, and apply any new or updated metadata in the response to 5230 its active representation. 5232 For example, a 204 status code is commonly used with document editing 5233 interfaces corresponding to a "save" action, such that the document 5234 being saved remains available to the user for editing. It is also 5235 frequently used with interfaces that expect automated data transfers 5236 to be prevalent, such as within distributed version control systems. 5238 A 204 response is terminated by the first empty line after the header 5239 fields because it cannot contain a message body. 5241 A 204 response is cacheable by default; i.e., unless otherwise 5242 indicated by the method definition or explicit cache controls (see 5243 Section 4.2.2 of [Caching]). 5245 9.3.6. 205 Reset Content 5247 The 205 (Reset Content) status code indicates that the server has 5248 fulfilled the request and desires that the user agent reset the 5249 "document view", which caused the request to be sent, to its original 5250 state as received from the origin server. 5252 This response is intended to support a common data entry use case 5253 where the user receives content that supports data entry (a form, 5254 notepad, canvas, etc.), enters or manipulates data in that space, 5255 causes the entered data to be submitted in a request, and then the 5256 data entry mechanism is reset for the next entry so that the user can 5257 easily initiate another input action. 5259 Since the 205 status code implies that no additional content will be 5260 provided, a server MUST NOT generate a payload in a 205 response. In 5261 other words, a server MUST do one of the following for a 205 5262 response: a) indicate a zero-length body for the response by 5263 including a Content-Length header field with a value of 0; b) 5264 indicate a zero-length payload for the response by including a 5265 Transfer-Encoding header field with a value of chunked and a message 5266 body consisting of a single chunk of zero-length; or, c) close the 5267 connection immediately after sending the blank line terminating the 5268 header section. 5270 9.3.7. 206 Partial Content 5272 The 206 (Partial Content) status code indicates that the server is 5273 successfully fulfilling a range request for the target resource by 5274 transferring one or more parts of the selected representation. 5276 When a 206 response is generated, the server MUST generate the 5277 following header fields, in addition to those required in the 5278 subsections below, if the field would have been sent in a 200 (OK) 5279 response to the same request: Date, Cache-Control, ETag, Expires, 5280 Content-Location, and Vary. 5282 If a 206 is generated in response to a request with an If-Range 5283 header field, the sender SHOULD NOT generate other representation 5284 header fields beyond those required, because the client is understood 5285 to already have a prior response containing those header fields. 5286 Otherwise, the sender MUST generate all of the representation header 5287 fields that would have been sent in a 200 (OK) response to the same 5288 request. 5290 A 206 response is cacheable by default; i.e., unless otherwise 5291 indicated by explicit cache controls (see Section 4.2.2 of 5292 [Caching]). 5294 9.3.7.1. Single Part 5296 If a single part is being transferred, the server generating the 206 5297 response MUST generate a Content-Range header field, describing what 5298 range of the selected representation is enclosed, and a payload 5299 consisting of the range. For example: 5301 HTTP/1.1 206 Partial Content 5302 Date: Wed, 15 Nov 1995 06:25:24 GMT 5303 Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT 5304 Content-Range: bytes 21010-47021/47022 5305 Content-Length: 26012 5306 Content-Type: image/gif 5308 ... 26012 bytes of partial image data ... 5310 9.3.7.2. Multiple Parts 5312 If multiple parts are being transferred, the server generating the 5313 206 response MUST generate a "multipart/byteranges" payload, as 5314 defined in Section 6.3.4, and a Content-Type header field containing 5315 the multipart/byteranges media type and its required boundary 5316 parameter. To avoid confusion with single-part responses, a server 5317 MUST NOT generate a Content-Range header field in the HTTP header 5318 section of a multiple part response (this field will be sent in each 5319 part instead). 5321 Within the header area of each body part in the multipart payload, 5322 the server MUST generate a Content-Range header field corresponding 5323 to the range being enclosed in that body part. If the selected 5324 representation would have had a Content-Type header field in a 200 5325 (OK) response, the server SHOULD generate that same Content-Type 5326 field in the header area of each body part. For example: 5328 HTTP/1.1 206 Partial Content 5329 Date: Wed, 15 Nov 1995 06:25:24 GMT 5330 Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT 5331 Content-Length: 1741 5332 Content-Type: multipart/byteranges; boundary=THIS_STRING_SEPARATES 5334 --THIS_STRING_SEPARATES 5335 Content-Type: application/pdf 5336 Content-Range: bytes 500-999/8000 5338 ...the first range... 5339 --THIS_STRING_SEPARATES 5340 Content-Type: application/pdf 5341 Content-Range: bytes 7000-7999/8000 5343 ...the second range 5344 --THIS_STRING_SEPARATES-- 5346 When multiple ranges are requested, a server MAY coalesce any of the 5347 ranges that overlap, or that are separated by a gap that is smaller 5348 than the overhead of sending multiple parts, regardless of the order 5349 in which the corresponding byte-range-spec appeared in the received 5350 Range header field. Since the typical overhead between parts of a 5351 multipart/byteranges payload is around 80 bytes, depending on the 5352 selected representation's media type and the chosen boundary 5353 parameter length, it can be less efficient to transfer many small 5354 disjoint parts than it is to transfer the entire selected 5355 representation. 5357 A server MUST NOT generate a multipart response to a request for a 5358 single range, since a client that does not request multiple parts 5359 might not support multipart responses. However, a server MAY 5360 generate a multipart/byteranges payload with only a single body part 5361 if multiple ranges were requested and only one range was found to be 5362 satisfiable or only one range remained after coalescing. A client 5363 that cannot process a multipart/byteranges response MUST NOT generate 5364 a request that asks for multiple ranges. 5366 When a multipart response payload is generated, the server SHOULD 5367 send the parts in the same order that the corresponding byte-range- 5368 spec appeared in the received Range header field, excluding those 5369 ranges that were deemed unsatisfiable or that were coalesced into 5370 other ranges. A client that receives a multipart response MUST 5371 inspect the Content-Range header field present in each body part in 5372 order to determine which range is contained in that body part; a 5373 client cannot rely on receiving the same ranges that it requested, 5374 nor the same order that it requested. 5376 9.3.7.3. Combining Parts 5378 A response might transfer only a subrange of a representation if the 5379 connection closed prematurely or if the request used one or more 5380 Range specifications. After several such transfers, a client might 5381 have received several ranges of the same representation. These 5382 ranges can only be safely combined if they all have in common the 5383 same strong validator (Section 10.2.1). 5385 A client that has received multiple partial responses to GET requests 5386 on a target resource MAY combine those responses into a larger 5387 continuous range if they share the same strong validator. 5389 If the most recent response is an incomplete 200 (OK) response, then 5390 the header fields of that response are used for any combined response 5391 and replace those of the matching stored responses. 5393 If the most recent response is a 206 (Partial Content) response and 5394 at least one of the matching stored responses is a 200 (OK), then the 5395 combined response header fields consist of the most recent 200 5396 response's header fields. If all of the matching stored responses 5397 are 206 responses, then the stored response with the most recent 5398 header fields is used as the source of header fields for the combined 5399 response, except that the client MUST use other header fields 5400 provided in the new response, aside from Content-Range, to replace 5401 all instances of the corresponding header fields in the stored 5402 response. 5404 The combined response message body consists of the union of partial 5405 content ranges in the new response and each of the selected 5406 responses. If the union consists of the entire range of the 5407 representation, then the client MUST process the combined response as 5408 if it were a complete 200 (OK) response, including a Content-Length 5409 header field that reflects the complete length. Otherwise, the 5410 client MUST process the set of continuous ranges as one of the 5411 following: an incomplete 200 (OK) response if the combined response 5412 is a prefix of the representation, a single 206 (Partial Content) 5413 response containing a multipart/byteranges body, or multiple 206 5414 (Partial Content) responses, each with one continuous range that is 5415 indicated by a Content-Range header field. 5417 9.4. Redirection 3xx 5419 The 3xx (Redirection) class of status code indicates that further 5420 action needs to be taken by the user agent in order to fulfill the 5421 request. If a Location header field (Section 10.1.2) is provided, 5422 the user agent MAY automatically redirect its request to the URI 5423 referenced by the Location field value, even if the specific status 5424 code is not understood. Automatic redirection needs to be done with 5425 care for methods not known to be safe, as defined in Section 7.2.1, 5426 since the user might not wish to redirect an unsafe request. 5428 There are several types of redirects: 5430 1. Redirects that indicate the resource might be available at a 5431 different URI, as provided by the Location field, as in the 5432 status codes 301 (Moved Permanently), 302 (Found), 307 (Temporary 5433 Redirect), and 308 (Permanent Redirect). 5435 2. Redirection that offers a choice of matching resources, each 5436 capable of representing the original request target, as in the 5437 300 (Multiple Choices) status code. 5439 3. Redirection to a different resource, identified by the Location 5440 field, that can represent an indirect response to the request, as 5441 in the 303 (See Other) status code. 5443 4. Redirection to a previously cached result, as in the 304 (Not 5444 Modified) status code. 5446 Note: In HTTP/1.0, the status codes 301 (Moved Permanently) and 5447 302 (Found) were defined for the first type of redirect 5448 ([RFC1945], Section 9.3). Early user agents split on whether the 5449 method applied to the redirect target would be the same as the 5450 original request or would be rewritten as GET. Although HTTP 5451 originally defined the former semantics for 301 and 302 (to match 5452 its original implementation at CERN), and defined 303 (See Other) 5453 to match the latter semantics, prevailing practice gradually 5454 converged on the latter semantics for 301 and 302 as well. The 5455 first revision of HTTP/1.1 added 307 (Temporary Redirect) to 5456 indicate the former semantics of 302 without being impacted by 5457 divergent practice. For the same reason, 308 (Permanent Redirect) 5458 was later on added in [RFC7538] to match 301. Over 10 years 5459 later, most user agents still do method rewriting for 301 and 302; 5460 therefore, [RFC7231] made that behavior conformant when the 5461 original request is POST. 5463 A client SHOULD detect and intervene in cyclical redirections (i.e., 5464 "infinite" redirection loops). 5466 Note: An earlier version of this specification recommended a 5467 maximum of five redirections ([RFC2068], Section 10.3). Content 5468 developers need to be aware that some clients might implement such 5469 a fixed limitation. 5471 9.4.1. 300 Multiple Choices 5473 The 300 (Multiple Choices) status code indicates that the target 5474 resource has more than one representation, each with its own more 5475 specific identifier, and information about the alternatives is being 5476 provided so that the user (or user agent) can select a preferred 5477 representation by redirecting its request to one or more of those 5478 identifiers. In other words, the server desires that the user agent 5479 engage in reactive negotiation to select the most appropriate 5480 representation(s) for its needs (Section 6.4). 5482 If the server has a preferred choice, the server SHOULD generate a 5483 Location header field containing a preferred choice's URI reference. 5484 The user agent MAY use the Location field value for automatic 5485 redirection. 5487 For request methods other than HEAD, the server SHOULD generate a 5488 payload in the 300 response containing a list of representation 5489 metadata and URI reference(s) from which the user or user agent can 5490 choose the one most preferred. The user agent MAY make a selection 5491 from that list automatically if it understands the provided media 5492 type. A specific format for automatic selection is not defined by 5493 this specification because HTTP tries to remain orthogonal to the 5494 definition of its payloads. In practice, the representation is 5495 provided in some easily parsed format believed to be acceptable to 5496 the user agent, as determined by shared design or content 5497 negotiation, or in some commonly accepted hypertext format. 5499 A 300 response is cacheable by default; i.e., unless otherwise 5500 indicated by the method definition or explicit cache controls (see 5501 Section 4.2.2 of [Caching]). 5503 Note: The original proposal for the 300 status code defined the 5504 URI header field as providing a list of alternative 5505 representations, such that it would be usable for 200, 300, and 5506 406 responses and be transferred in responses to the HEAD method. 5507 However, lack of deployment and disagreement over syntax led to 5508 both URI and Alternates (a subsequent proposal) being dropped from 5509 this specification. It is possible to communicate the list using 5510 a set of Link header fields [RFC8288], each with a relationship of 5511 "alternate", though deployment is a chicken-and-egg problem. 5513 9.4.2. 301 Moved Permanently 5515 The 301 (Moved Permanently) status code indicates that the target 5516 resource has been assigned a new permanent URI and any future 5517 references to this resource ought to use one of the enclosed URIs. 5518 Clients with link-editing capabilities ought to automatically re-link 5519 references to the effective request URI to one or more of the new 5520 references sent by the server, where possible. 5522 The server SHOULD generate a Location header field in the response 5523 containing a preferred URI reference for the new permanent URI. The 5524 user agent MAY use the Location field value for automatic 5525 redirection. The server's response payload usually contains a short 5526 hypertext note with a hyperlink to the new URI(s). 5528 Note: For historical reasons, a user agent MAY change the request 5529 method from POST to GET for the subsequent request. If this 5530 behavior is undesired, the 308 (Permanent Redirect) status code 5531 can be used instead. 5533 A 301 response is cacheable by default; i.e., unless otherwise 5534 indicated by the method definition or explicit cache controls (see 5535 Section 4.2.2 of [Caching]). 5537 9.4.3. 302 Found 5539 The 302 (Found) status code indicates that the target resource 5540 resides temporarily under a different URI. Since the redirection 5541 might be altered on occasion, the client ought to continue to use the 5542 effective request URI for future requests. 5544 The server SHOULD generate a Location header field in the response 5545 containing a URI reference for the different URI. The user agent MAY 5546 use the Location field value for automatic redirection. The server's 5547 response payload usually contains a short hypertext note with a 5548 hyperlink to the different URI(s). 5550 Note: For historical reasons, a user agent MAY change the request 5551 method from POST to GET for the subsequent request. If this 5552 behavior is undesired, the 307 (Temporary Redirect) status code 5553 can be used instead. 5555 9.4.4. 303 See Other 5557 The 303 (See Other) status code indicates that the server is 5558 redirecting the user agent to a different resource, as indicated by a 5559 URI in the Location header field, which is intended to provide an 5560 indirect response to the original request. A user agent can perform 5561 a retrieval request targeting that URI (a GET or HEAD request if 5562 using HTTP), which might also be redirected, and present the eventual 5563 result as an answer to the original request. Note that the new URI 5564 in the Location header field is not considered equivalent to the 5565 effective request URI. 5567 This status code is applicable to any HTTP method. It is primarily 5568 used to allow the output of a POST action to redirect the user agent 5569 to a selected resource, since doing so provides the information 5570 corresponding to the POST response in a form that can be separately 5571 identified, bookmarked, and cached, independent of the original 5572 request. 5574 A 303 response to a GET request indicates that the origin server does 5575 not have a representation of the target resource that can be 5576 transferred by the server over HTTP. However, the Location field 5577 value refers to a resource that is descriptive of the target 5578 resource, such that making a retrieval request on that other resource 5579 might result in a representation that is useful to recipients without 5580 implying that it represents the original target resource. Note that 5581 answers to the questions of what can be represented, what 5582 representations are adequate, and what might be a useful description 5583 are outside the scope of HTTP. 5585 Except for responses to a HEAD request, the representation of a 303 5586 response ought to contain a short hypertext note with a hyperlink to 5587 the same URI reference provided in the Location header field. 5589 9.4.5. 304 Not Modified 5591 The 304 (Not Modified) status code indicates that a conditional GET 5592 or HEAD request has been received and would have resulted in a 200 5593 (OK) response if it were not for the fact that the condition 5594 evaluated to false. In other words, there is no need for the server 5595 to transfer a representation of the target resource because the 5596 request indicates that the client, which made the request 5597 conditional, already has a valid representation; the server is 5598 therefore redirecting the client to make use of that stored 5599 representation as if it were the payload of a 200 (OK) response. 5601 The server generating a 304 response MUST generate any of the 5602 following header fields that would have been sent in a 200 (OK) 5603 response to the same request: Cache-Control, Content-Location, Date, 5604 ETag, Expires, and Vary. 5606 Since the goal of a 304 response is to minimize information transfer 5607 when the recipient already has one or more cached representations, a 5608 sender SHOULD NOT generate representation metadata other than the 5609 above listed fields unless said metadata exists for the purpose of 5610 guiding cache updates (e.g., Last-Modified might be useful if the 5611 response does not have an ETag field). 5613 Requirements on a cache that receives a 304 response are defined in 5614 Section 4.3.4 of [Caching]. If the conditional request originated 5615 with an outbound client, such as a user agent with its own cache 5616 sending a conditional GET to a shared proxy, then the proxy SHOULD 5617 forward the 304 response to that client. 5619 A 304 response cannot contain a message-body; it is always terminated 5620 by the first empty line after the header fields. 5622 9.4.6. 305 Use Proxy 5624 The 305 (Use Proxy) status code was defined in a previous version of 5625 this specification and is now deprecated (Appendix B of [RFC7231]). 5627 9.4.7. 306 (Unused) 5629 The 306 status code was defined in a previous version of this 5630 specification, is no longer used, and the code is reserved. 5632 9.4.8. 307 Temporary Redirect 5634 The 307 (Temporary Redirect) status code indicates that the target 5635 resource resides temporarily under a different URI and the user agent 5636 MUST NOT change the request method if it performs an automatic 5637 redirection to that URI. Since the redirection can change over time, 5638 the client ought to continue using the original effective request URI 5639 for future requests. 5641 The server SHOULD generate a Location header field in the response 5642 containing a URI reference for the different URI. The user agent MAY 5643 use the Location field value for automatic redirection. The server's 5644 response payload usually contains a short hypertext note with a 5645 hyperlink to the different URI(s). 5647 9.4.9. 308 Permanent Redirect 5649 The 308 (Permanent Redirect) status code indicates that the target 5650 resource has been assigned a new permanent URI and any future 5651 references to this resource ought to use one of the enclosed URIs. 5652 Clients with link editing capabilities ought to automatically re-link 5653 references to the effective request URI to one or more of the new 5654 references sent by the server, where possible. 5656 The server SHOULD generate a Location header field in the response 5657 containing a preferred URI reference for the new permanent URI. The 5658 user agent MAY use the Location field value for automatic 5659 redirection. The server's response payload usually contains a short 5660 hypertext note with a hyperlink to the new URI(s). 5662 A 308 response is cacheable by default; i.e., unless otherwise 5663 indicated by the method definition or explicit cache controls (see 5664 Section 4.2.2 of [Caching]). 5666 Note: This status code is much younger (June 2014) than its 5667 sibling codes, and thus might not be recognized everywhere. See 5668 Section 4 of [RFC7538] for deployment considerations. 5670 9.5. Client Error 4xx 5672 The 4xx (Client Error) class of status code indicates that the client 5673 seems to have erred. Except when responding to a HEAD request, the 5674 server SHOULD send a representation containing an explanation of the 5675 error situation, and whether it is a temporary or permanent 5676 condition. These status codes are applicable to any request method. 5677 User agents SHOULD display any included representation to the user. 5679 9.5.1. 400 Bad Request 5681 The 400 (Bad Request) status code indicates that the server cannot or 5682 will not process the request due to something that is perceived to be 5683 a client error (e.g., malformed request syntax, invalid request 5684 message framing, or deceptive request routing). 5686 9.5.2. 401 Unauthorized 5688 The 401 (Unauthorized) status code indicates that the request has not 5689 been applied because it lacks valid authentication credentials for 5690 the target resource. The server generating a 401 response MUST send 5691 a WWW-Authenticate header field (Section 10.3.1) containing at least 5692 one challenge applicable to the target resource. 5694 If the request included authentication credentials, then the 401 5695 response indicates that authorization has been refused for those 5696 credentials. The user agent MAY repeat the request with a new or 5697 replaced Authorization header field (Section 8.5.3). If the 401 5698 response contains the same challenge as the prior response, and the 5699 user agent has already attempted authentication at least once, then 5700 the user agent SHOULD present the enclosed representation to the 5701 user, since it usually contains relevant diagnostic information. 5703 9.5.3. 402 Payment Required 5705 The 402 (Payment Required) status code is reserved for future use. 5707 9.5.4. 403 Forbidden 5709 The 403 (Forbidden) status code indicates that the server understood 5710 the request but refuses to authorize it. A server that wishes to 5711 make public why the request has been forbidden can describe that 5712 reason in the response payload (if any). 5714 If authentication credentials were provided in the request, the 5715 server considers them insufficient to grant access. The client 5716 SHOULD NOT automatically repeat the request with the same 5717 credentials. The client MAY repeat the request with new or different 5718 credentials. However, a request might be forbidden for reasons 5719 unrelated to the credentials. 5721 An origin server that wishes to "hide" the current existence of a 5722 forbidden target resource MAY instead respond with a status code of 5723 404 (Not Found). 5725 9.5.5. 404 Not Found 5727 The 404 (Not Found) status code indicates that the origin server did 5728 not find a current representation for the target resource or is not 5729 willing to disclose that one exists. A 404 status code does not 5730 indicate whether this lack of representation is temporary or 5731 permanent; the 410 (Gone) status code is preferred over 404 if the 5732 origin server knows, presumably through some configurable means, that 5733 the condition is likely to be permanent. 5735 A 404 response is cacheable by default; i.e., unless otherwise 5736 indicated by the method definition or explicit cache controls (see 5737 Section 4.2.2 of [Caching]). 5739 9.5.6. 405 Method Not Allowed 5741 The 405 (Method Not Allowed) status code indicates that the method 5742 received in the request-line is known by the origin server but not 5743 supported by the target resource. The origin server MUST generate an 5744 Allow header field in a 405 response containing a list of the target 5745 resource's currently supported methods. 5747 A 405 response is cacheable by default; i.e., unless otherwise 5748 indicated by the method definition or explicit cache controls (see 5749 Section 4.2.2 of [Caching]). 5751 9.5.7. 406 Not Acceptable 5753 The 406 (Not Acceptable) status code indicates that the target 5754 resource does not have a current representation that would be 5755 acceptable to the user agent, according to the proactive negotiation 5756 header fields received in the request (Section 8.4), and the server 5757 is unwilling to supply a default representation. 5759 The server SHOULD generate a payload containing a list of available 5760 representation characteristics and corresponding resource identifiers 5761 from which the user or user agent can choose the one most 5762 appropriate. A user agent MAY automatically select the most 5763 appropriate choice from that list. However, this specification does 5764 not define any standard for such automatic selection, as described in 5765 Section 9.4.1. 5767 9.5.8. 407 Proxy Authentication Required 5769 The 407 (Proxy Authentication Required) status code is similar to 401 5770 (Unauthorized), but it indicates that the client needs to 5771 authenticate itself in order to use a proxy. The proxy MUST send a 5772 Proxy-Authenticate header field (Section 10.3.2) containing a 5773 challenge applicable to that proxy for the target resource. The 5774 client MAY repeat the request with a new or replaced Proxy- 5775 Authorization header field (Section 8.5.4). 5777 9.5.9. 408 Request Timeout 5779 The 408 (Request Timeout) status code indicates that the server did 5780 not receive a complete request message within the time that it was 5781 prepared to wait. A server SHOULD send the "close" connection option 5782 (Section 9.1 of [Messaging]) in the response, since 408 implies that 5783 the server has decided to close the connection rather than continue 5784 waiting. If the client has an outstanding request in transit, the 5785 client MAY repeat that request on a new connection. 5787 9.5.10. 409 Conflict 5789 The 409 (Conflict) status code indicates that the request could not 5790 be completed due to a conflict with the current state of the target 5791 resource. This code is used in situations where the user might be 5792 able to resolve the conflict and resubmit the request. The server 5793 SHOULD generate a payload that includes enough information for a user 5794 to recognize the source of the conflict. 5796 Conflicts are most likely to occur in response to a PUT request. For 5797 example, if versioning were being used and the representation being 5798 PUT included changes to a resource that conflict with those made by 5799 an earlier (third-party) request, the origin server might use a 409 5800 response to indicate that it can't complete the request. In this 5801 case, the response representation would likely contain information 5802 useful for merging the differences based on the revision history. 5804 9.5.11. 410 Gone 5806 The 410 (Gone) status code indicates that access to the target 5807 resource is no longer available at the origin server and that this 5808 condition is likely to be permanent. If the origin server does not 5809 know, or has no facility to determine, whether or not the condition 5810 is permanent, the status code 404 (Not Found) ought to be used 5811 instead. 5813 The 410 response is primarily intended to assist the task of web 5814 maintenance by notifying the recipient that the resource is 5815 intentionally unavailable and that the server owners desire that 5816 remote links to that resource be removed. Such an event is common 5817 for limited-time, promotional services and for resources belonging to 5818 individuals no longer associated with the origin server's site. It 5819 is not necessary to mark all permanently unavailable resources as 5820 "gone" or to keep the mark for any length of time -- that is left to 5821 the discretion of the server owner. 5823 A 410 response is cacheable by default; i.e., unless otherwise 5824 indicated by the method definition or explicit cache controls (see 5825 Section 4.2.2 of [Caching]). 5827 9.5.12. 411 Length Required 5829 The 411 (Length Required) status code indicates that the server 5830 refuses to accept the request without a defined Content-Length 5831 (Section 6.2.4). The client MAY repeat the request if it adds a 5832 valid Content-Length header field containing the length of the 5833 message body in the request message. 5835 9.5.13. 412 Precondition Failed 5837 The 412 (Precondition Failed) status code indicates that one or more 5838 conditions given in the request header fields evaluated to false when 5839 tested on the server. This response status code allows the client to 5840 place preconditions on the current resource state (its current 5841 representations and metadata) and, thus, prevent the request method 5842 from being applied if the target resource is in an unexpected state. 5844 9.5.14. 413 Payload Too Large 5846 The 413 (Payload Too Large) status code indicates that the server is 5847 refusing to process a request because the request payload is larger 5848 than the server is willing or able to process. The server MAY close 5849 the connection to prevent the client from continuing the request. 5851 If the condition is temporary, the server SHOULD generate a Retry- 5852 After header field to indicate that it is temporary and after what 5853 time the client MAY try again. 5855 9.5.15. 414 URI Too Long 5857 The 414 (URI Too Long) status code indicates that the server is 5858 refusing to service the request because the request-target 5859 (Section 3.2 of [Messaging]) is longer than the server is willing to 5860 interpret. This rare condition is only likely to occur when a client 5861 has improperly converted a POST request to a GET request with long 5862 query information, when the client has descended into a "black hole" 5863 of redirection (e.g., a redirected URI prefix that points to a suffix 5864 of itself) or when the server is under attack by a client attempting 5865 to exploit potential security holes. 5867 A 414 response is cacheable by default; i.e., unless otherwise 5868 indicated by the method definition or explicit cache controls (see 5869 Section 4.2.2 of [Caching]). 5871 9.5.16. 415 Unsupported Media Type 5873 The 415 (Unsupported Media Type) status code indicates that the 5874 origin server is refusing to service the request because the payload 5875 is in a format not supported by this method on the target resource. 5876 The format problem might be due to the request's indicated Content- 5877 Type or Content-Encoding, or as a result of inspecting the data 5878 directly. 5880 9.5.17. 416 Range Not Satisfiable 5882 The 416 (Range Not Satisfiable) status code indicates that none of 5883 the ranges in the request's Range header field (Section 8.3) overlap 5884 the current extent of the selected representation or that the set of 5885 ranges requested has been rejected due to invalid ranges or an 5886 excessive request of small or overlapping ranges. 5888 For byte ranges, failing to overlap the current extent means that the 5889 first-byte-pos of all of the byte-range-spec values were greater than 5890 or equal to the current length of the selected representation. When 5891 this status code is generated in response to a byte-range request, 5892 the sender SHOULD generate a Content-Range header field specifying 5893 the current length of the selected representation (Section 6.3.3). 5895 For example: 5897 HTTP/1.1 416 Range Not Satisfiable 5898 Date: Fri, 20 Jan 2012 15:41:54 GMT 5899 Content-Range: bytes */47022 5901 Note: Because servers are free to ignore Range, many 5902 implementations will simply respond with the entire selected 5903 representation in a 200 (OK) response. That is partly because 5904 most clients are prepared to receive a 200 (OK) to complete the 5905 task (albeit less efficiently) and partly because clients might 5906 not stop making an invalid partial request until they have 5907 received a complete representation. Thus, clients cannot depend 5908 on receiving a 416 (Range Not Satisfiable) response even when it 5909 is most appropriate. 5911 9.5.18. 417 Expectation Failed 5913 The 417 (Expectation Failed) status code indicates that the 5914 expectation given in the request's Expect header field 5915 (Section 8.1.1) could not be met by at least one of the inbound 5916 servers. 5918 9.5.19. 418 (Unused) 5920 [RFC2324] was an April 1 RFC that lampooned the various ways HTTP was 5921 abused; one such abuse was the definition of an application-specific 5922 418 status code. In the intervening years, this status code has been 5923 widely implemented as an "Easter Egg", and therefore is effectively 5924 consumed by this use. 5926 Therefore, the 418 status code is reserved in the IANA HTTP Status 5927 Code registry. This indicates that the status code cannot be 5928 assigned to other applications currently. If future circumstances 5929 require its use (e.g., exhaustion of 4NN status codes), it can be re- 5930 assigned to another use. 5932 9.5.20. 422 Unprocessable Payload 5934 The 422 (Unprocessable Payload) status code indicates that the server 5935 understands the content type of the request payload (hence a 415 5936 (Unsupported Media Type) status code is inappropriate), and the 5937 syntax of the request payload is correct, but was unable to process 5938 the contained instructions. For example, this status code can be 5939 sent if an XML request payload contains well-formed (i.e., 5940 syntactically correct), but semantically erroneous XML instructions. 5942 9.5.21. 426 Upgrade Required 5944 The 426 (Upgrade Required) status code indicates that the server 5945 refuses to perform the request using the current protocol but might 5946 be willing to do so after the client upgrades to a different 5947 protocol. The server MUST send an Upgrade header field in a 426 5948 response to indicate the required protocol(s) (Section 9.8 of 5949 [Messaging]). 5951 Example: 5953 HTTP/1.1 426 Upgrade Required 5954 Upgrade: HTTP/3.0 5955 Connection: Upgrade 5956 Content-Length: 53 5957 Content-Type: text/plain 5959 This service requires use of the HTTP/3.0 protocol. 5961 9.6. Server Error 5xx 5963 The 5xx (Server Error) class of status code indicates that the server 5964 is aware that it has erred or is incapable of performing the 5965 requested method. Except when responding to a HEAD request, the 5966 server SHOULD send a representation containing an explanation of the 5967 error situation, and whether it is a temporary or permanent 5968 condition. A user agent SHOULD display any included representation 5969 to the user. These response codes are applicable to any request 5970 method. 5972 9.6.1. 500 Internal Server Error 5974 The 500 (Internal Server Error) status code indicates that the server 5975 encountered an unexpected condition that prevented it from fulfilling 5976 the request. 5978 9.6.2. 501 Not Implemented 5980 The 501 (Not Implemented) status code indicates that the server does 5981 not support the functionality required to fulfill the request. This 5982 is the appropriate response when the server does not recognize the 5983 request method and is not capable of supporting it for any resource. 5985 A 501 response is cacheable by default; i.e., unless otherwise 5986 indicated by the method definition or explicit cache controls (see 5987 Section 4.2.2 of [Caching]). 5989 9.6.3. 502 Bad Gateway 5991 The 502 (Bad Gateway) status code indicates that the server, while 5992 acting as a gateway or proxy, received an invalid response from an 5993 inbound server it accessed while attempting to fulfill the request. 5995 9.6.4. 503 Service Unavailable 5997 The 503 (Service Unavailable) status code indicates that the server 5998 is currently unable to handle the request due to a temporary overload 5999 or scheduled maintenance, which will likely be alleviated after some 6000 delay. The server MAY send a Retry-After header field 6001 (Section 10.1.3) to suggest an appropriate amount of time for the 6002 client to wait before retrying the request. 6004 Note: The existence of the 503 status code does not imply that a 6005 server has to use it when becoming overloaded. Some servers might 6006 simply refuse the connection. 6008 9.6.5. 504 Gateway Timeout 6010 The 504 (Gateway Timeout) status code indicates that the server, 6011 while acting as a gateway or proxy, did not receive a timely response 6012 from an upstream server it needed to access in order to complete the 6013 request. 6015 9.6.6. 505 HTTP Version Not Supported 6017 The 505 (HTTP Version Not Supported) status code indicates that the 6018 server does not support, or refuses to support, the major version of 6019 HTTP that was used in the request message. The server is indicating 6020 that it is unable or unwilling to complete the request using the same 6021 major version as the client, as described in Section 3.5, other than 6022 with this error message. The server SHOULD generate a representation 6023 for the 505 response that describes why that version is not supported 6024 and what other protocols are supported by that server. 6026 9.7. Status Code Extensibility 6028 Additional status codes, outside the scope of this specification, 6029 have been specified for use in HTTP. All such status codes ought to 6030 be registered within the "Hypertext Transfer Protocol (HTTP) Status 6031 Code Registry". 6033 9.7.1. Status Code Registry 6035 The "Hypertext Transfer Protocol (HTTP) Status Code Registry", 6036 maintained by IANA at , registers status code numbers. 6039 A registration MUST include the following fields: 6041 o Status Code (3 digits) 6043 o Short Description 6045 o Pointer to specification text 6047 Values to be added to the HTTP status code namespace require IETF 6048 Review (see [RFC8126], Section 4.8). 6050 9.7.2. Considerations for New Status Codes 6052 When it is necessary to express semantics for a response that are not 6053 defined by current status codes, a new status code can be registered. 6054 Status codes are generic; they are potentially applicable to any 6055 resource, not just one particular media type, kind of resource, or 6056 application of HTTP. As such, it is preferred that new status codes 6057 be registered in a document that isn't specific to a single 6058 application. 6060 New status codes are required to fall under one of the categories 6061 defined in Section 9. To allow existing parsers to process the 6062 response message, new status codes cannot disallow a payload, 6063 although they can mandate a zero-length payload body. 6065 Proposals for new status codes that are not yet widely deployed ought 6066 to avoid allocating a specific number for the code until there is 6067 clear consensus that it will be registered; instead, early drafts can 6068 use a notation such as "4NN", or "3N0" .. "3N9", to indicate the 6069 class of the proposed status code(s) without consuming a number 6070 prematurely. 6072 The definition of a new status code ought to explain the request 6073 conditions that would cause a response containing that status code 6074 (e.g., combinations of request header fields and/or method(s)) along 6075 with any dependencies on response header fields (e.g., what fields 6076 are required, what fields can modify the semantics, and what header 6077 field semantics are further refined when used with the new status 6078 code). 6080 The definition of a new status code ought to specify whether or not 6081 it is cacheable. Note that all status codes can be cached if the 6082 response they occur in has explicit freshness information; however, 6083 status codes that are defined as being cacheable are allowed to be 6084 cached without explicit freshness information. Likewise, the 6085 definition of a status code can place constraints upon cache 6086 behavior. See [Caching] for more information. 6088 Finally, the definition of a new status code ought to indicate 6089 whether the payload has any implied association with an identified 6090 resource (Section 6.3.2). 6092 10. Response Header Fields 6094 The response header fields allow the server to pass additional 6095 information about the response beyond what is placed in the status- 6096 line. These header fields give information about the server, about 6097 further access to the target resource, or about related resources. 6099 Although each response header field has a defined meaning, in 6100 general, the precise semantics might be further refined by the 6101 semantics of the request method and/or response status code. 6103 10.1. Control Data 6105 Response header fields can supply control data that supplements the 6106 status code, directs caching, or instructs the client where to go 6107 next. 6109 +-------------------+--------------------------+ 6110 | Header Field Name | Defined in... | 6111 +-------------------+--------------------------+ 6112 | Age | Section 5.1 of [Caching] | 6113 | Cache-Control | Section 5.2 of [Caching] | 6114 | Expires | Section 5.3 of [Caching] | 6115 | Date | Section 10.1.1.2 | 6116 | Location | Section 10.1.2 | 6117 | Retry-After | Section 10.1.3 | 6118 | Vary | Section 10.1.4 | 6119 | Warning | Section 5.5 of [Caching] | 6120 +-------------------+--------------------------+ 6122 10.1.1. Origination Date 6124 10.1.1.1. Date/Time Formats 6126 Prior to 1995, there were three different formats commonly used by 6127 servers to communicate timestamps. For compatibility with old 6128 implementations, all three are defined here. The preferred format is 6129 a fixed-length and single-zone subset of the date and time 6130 specification used by the Internet Message Format [RFC5322]. 6132 HTTP-date = IMF-fixdate / obs-date 6134 An example of the preferred format is 6136 Sun, 06 Nov 1994 08:49:37 GMT ; IMF-fixdate 6138 Examples of the two obsolete formats are 6140 Sunday, 06-Nov-94 08:49:37 GMT ; obsolete RFC 850 format 6141 Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format 6143 A recipient that parses a timestamp value in an HTTP header field 6144 MUST accept all three HTTP-date formats. When a sender generates a 6145 header field that contains one or more timestamps defined as HTTP- 6146 date, the sender MUST generate those timestamps in the IMF-fixdate 6147 format. 6149 An HTTP-date value represents time as an instance of Coordinated 6150 Universal Time (UTC). The first two formats indicate UTC by the 6151 three-letter abbreviation for Greenwich Mean Time, "GMT", a 6152 predecessor of the UTC name; values in the asctime format are assumed 6153 to be in UTC. A sender that generates HTTP-date values from a local 6154 clock ought to use NTP ([RFC5905]) or some similar protocol to 6155 synchronize its clock to UTC. 6157 Preferred format: 6159 IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT 6160 ; fixed length/zone/capitalization subset of the format 6161 ; see Section 3.3 of [RFC5322] 6163 day-name = %s"Mon" / %s"Tue" / %s"Wed" 6164 / %s"Thu" / %s"Fri" / %s"Sat" / %s"Sun" 6166 date1 = day SP month SP year 6167 ; e.g., 02 Jun 1982 6169 day = 2DIGIT 6170 month = %s"Jan" / %s"Feb" / %s"Mar" / %s"Apr" 6171 / %s"May" / %s"Jun" / %s"Jul" / %s"Aug" 6172 / %s"Sep" / %s"Oct" / %s"Nov" / %s"Dec" 6173 year = 4DIGIT 6175 GMT = %s"GMT" 6177 time-of-day = hour ":" minute ":" second 6178 ; 00:00:00 - 23:59:60 (leap second) 6180 hour = 2DIGIT 6181 minute = 2DIGIT 6182 second = 2DIGIT 6184 Obsolete formats: 6186 obs-date = rfc850-date / asctime-date 6188 rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT 6189 date2 = day "-" month "-" 2DIGIT 6190 ; e.g., 02-Jun-82 6192 day-name-l = %s"Monday" / %s"Tuesday" / %s"Wednesday" 6193 / %s"Thursday" / %s"Friday" / %s"Saturday" / %s"Sunday" 6195 asctime-date = day-name SP date3 SP time-of-day SP year 6196 date3 = month SP ( 2DIGIT / ( SP 1DIGIT )) 6197 ; e.g., Jun 2 6199 HTTP-date is case sensitive. A sender MUST NOT generate additional 6200 whitespace in an HTTP-date beyond that specifically included as SP in 6201 the grammar. The semantics of day-name, day, month, year, and time- 6202 of-day are the same as those defined for the Internet Message Format 6203 constructs with the corresponding name ([RFC5322], Section 3.3). 6205 Recipients of a timestamp value in rfc850-date format, which uses a 6206 two-digit year, MUST interpret a timestamp that appears to be more 6207 than 50 years in the future as representing the most recent year in 6208 the past that had the same last two digits. 6210 Recipients of timestamp values are encouraged to be robust in parsing 6211 timestamps unless otherwise restricted by the field definition. For 6212 example, messages are occasionally forwarded over HTTP from a non- 6213 HTTP source that might generate any of the date and time 6214 specifications defined by the Internet Message Format. 6216 Note: HTTP requirements for the date/time stamp format apply only 6217 to their usage within the protocol stream. Implementations are 6218 not required to use these formats for user presentation, request 6219 logging, etc. 6221 10.1.1.2. Date 6223 The "Date" header field represents the date and time at which the 6224 message was originated, having the same semantics as the Origination 6225 Date Field (orig-date) defined in Section 3.6.1 of [RFC5322]. The 6226 field value is an HTTP-date, as defined in Section 10.1.1.1. 6228 Date = HTTP-date 6230 An example is 6232 Date: Tue, 15 Nov 1994 08:12:31 GMT 6234 When a Date header field is generated, the sender SHOULD generate its 6235 field value as the best available approximation of the date and time 6236 of message generation. In theory, the date ought to represent the 6237 moment just before the payload is generated. In practice, the date 6238 can be generated at any time during message origination. 6240 An origin server MUST NOT send a Date header field if it does not 6241 have a clock capable of providing a reasonable approximation of the 6242 current instance in Coordinated Universal Time. An origin server MAY 6243 send a Date header field if the response is in the 1xx 6244 (Informational) or 5xx (Server Error) class of status codes. An 6245 origin server MUST send a Date header field in all other cases. 6247 A recipient with a clock that receives a response message without a 6248 Date header field MUST record the time it was received and append a 6249 corresponding Date header field to the message's header section if it 6250 is cached or forwarded downstream. 6252 A user agent MAY send a Date header field in a request, though 6253 generally will not do so unless it is believed to convey useful 6254 information to the server. For example, custom applications of HTTP 6255 might convey a Date if the server is expected to adjust its 6256 interpretation of the user's request based on differences between the 6257 user agent and server clocks. 6259 10.1.2. Location 6261 The "Location" header field is used in some responses to refer to a 6262 specific resource in relation to the response. The type of 6263 relationship is defined by the combination of request method and 6264 status code semantics. 6266 Location = URI-reference 6268 The field value consists of a single URI-reference. When it has the 6269 form of a relative reference ([RFC3986], Section 4.2), the final 6270 value is computed by resolving it against the effective request URI 6271 ([RFC3986], Section 5). 6273 For 201 (Created) responses, the Location value refers to the primary 6274 resource created by the request. For 3xx (Redirection) responses, 6275 the Location value refers to the preferred target resource for 6276 automatically redirecting the request. 6278 If the Location value provided in a 3xx (Redirection) response does 6279 not have a fragment component, a user agent MUST process the 6280 redirection as if the value inherits the fragment component of the 6281 URI reference used to generate the request target (i.e., the 6282 redirection inherits the original reference's fragment, if any). 6284 For example, a GET request generated for the URI reference 6285 "http://www.example.org/~tim" might result in a 303 (See Other) 6286 response containing the header field: 6288 Location: /People.html#tim 6290 which suggests that the user agent redirect to 6291 "http://www.example.org/People.html#tim" 6293 Likewise, a GET request generated for the URI reference 6294 "http://www.example.org/index.html#larry" might result in a 301 6295 (Moved Permanently) response containing the header field: 6297 Location: http://www.example.net/index.html 6299 which suggests that the user agent redirect to 6300 "http://www.example.net/index.html#larry", preserving the original 6301 fragment identifier. 6303 There are circumstances in which a fragment identifier in a Location 6304 value would not be appropriate. For example, the Location header 6305 field in a 201 (Created) response is supposed to provide a URI that 6306 is specific to the created resource. 6308 Note: Some recipients attempt to recover from Location fields that 6309 are not valid URI references. This specification does not mandate 6310 or define such processing, but does allow it for the sake of 6311 robustness. 6313 Note: The Content-Location header field (Section 6.2.5) differs 6314 from Location in that the Content-Location refers to the most 6315 specific resource corresponding to the enclosed representation. 6316 It is therefore possible for a response to contain both the 6317 Location and Content-Location header fields. 6319 10.1.3. Retry-After 6321 Servers send the "Retry-After" header field to indicate how long the 6322 user agent ought to wait before making a follow-up request. When 6323 sent with a 503 (Service Unavailable) response, Retry-After indicates 6324 how long the service is expected to be unavailable to the client. 6325 When sent with any 3xx (Redirection) response, Retry-After indicates 6326 the minimum time that the user agent is asked to wait before issuing 6327 the redirected request. 6329 The value of this field can be either an HTTP-date or a number of 6330 seconds to delay after the response is received. 6332 Retry-After = HTTP-date / delay-seconds 6334 A delay-seconds value is a non-negative decimal integer, representing 6335 time in seconds. 6337 delay-seconds = 1*DIGIT 6339 Two examples of its use are 6341 Retry-After: Fri, 31 Dec 1999 23:59:59 GMT 6342 Retry-After: 120 6344 In the latter example, the delay is 2 minutes. 6346 10.1.4. Vary 6348 The "Vary" header field in a response describes what parts of a 6349 request message, aside from the method, Host header field, and 6350 request target, might influence the origin server's process for 6351 selecting and representing this response. The value consists of 6352 either a single asterisk ("*") or a list of header field names (case- 6353 insensitive). 6355 Vary = "*" / 1#field-name 6357 A Vary field value of "*" signals that anything about the request 6358 might play a role in selecting the response representation, possibly 6359 including elements outside the message syntax (e.g., the client's 6360 network address). A recipient will not be able to determine whether 6361 this response is appropriate for a later request without forwarding 6362 the request to the origin server. A proxy MUST NOT generate a Vary 6363 field with a "*" value. 6365 A Vary field value consisting of a comma-separated list of names 6366 indicates that the named request header fields, known as the 6367 selecting header fields, might have a role in selecting the 6368 representation. The potential selecting header fields are not 6369 limited to those defined by this specification. 6371 For example, a response that contains 6373 Vary: accept-encoding, accept-language 6375 indicates that the origin server might have used the request's 6376 Accept-Encoding and Accept-Language fields (or lack thereof) as 6377 determining factors while choosing the content for this response. 6379 An origin server might send Vary with a list of fields for two 6380 purposes: 6382 1. To inform cache recipients that they MUST NOT use this response 6383 to satisfy a later request unless the later request has the same 6384 values for the listed fields as the original request (Section 4.1 6385 of [Caching]). In other words, Vary expands the cache key 6386 required to match a new request to the stored cache entry. 6388 2. To inform user agent recipients that this response is subject to 6389 content negotiation (Section 8.4) and that a different 6390 representation might be sent in a subsequent request if 6391 additional parameters are provided in the listed header fields 6392 (proactive negotiation). 6394 An origin server SHOULD send a Vary header field when its algorithm 6395 for selecting a representation varies based on aspects of the request 6396 message other than the method and request target, unless the variance 6397 cannot be crossed or the origin server has been deliberately 6398 configured to prevent cache transparency. For example, there is no 6399 need to send the Authorization field name in Vary because reuse 6400 across users is constrained by the field definition (Section 8.5.3). 6401 Likewise, an origin server might use Cache-Control response 6402 directives (Section 5.2 of [Caching]) to supplant Vary if it 6403 considers the variance less significant than the performance cost of 6404 Vary's impact on caching. 6406 10.2. Validators 6408 Validator header fields convey metadata about the selected 6409 representation (Section 6). In responses to safe requests, validator 6410 fields describe the selected representation chosen by the origin 6411 server while handling the response. Note that, depending on the 6412 status code semantics, the selected representation for a given 6413 response is not necessarily the same as the representation enclosed 6414 as response payload. 6416 In a successful response to a state-changing request, validator 6417 fields describe the new representation that has replaced the prior 6418 selected representation as a result of processing the request. 6420 For example, an ETag header field in a 201 (Created) response 6421 communicates the entity-tag of the newly created resource's 6422 representation, so that it can be used in later conditional requests 6423 to prevent the "lost update" problem Section 8.2. 6425 +-------------------+----------------+ 6426 | Header Field Name | Defined in... | 6427 +-------------------+----------------+ 6428 | ETag | Section 10.2.3 | 6429 | Last-Modified | Section 10.2.2 | 6430 +-------------------+----------------+ 6432 This specification defines two forms of metadata that are commonly 6433 used to observe resource state and test for preconditions: 6434 modification dates (Section 10.2.2) and opaque entity tags 6435 (Section 10.2.3). Additional metadata that reflects resource state 6436 has been defined by various extensions of HTTP, such as Web 6437 Distributed Authoring and Versioning (WebDAV, [RFC4918]), that are 6438 beyond the scope of this specification. A resource metadata value is 6439 referred to as a "validator" when it is used within a precondition. 6441 10.2.1. Weak versus Strong 6443 Validators come in two flavors: strong or weak. Weak validators are 6444 easy to generate but are far less useful for comparisons. Strong 6445 validators are ideal for comparisons but can be very difficult (and 6446 occasionally impossible) to generate efficiently. Rather than impose 6447 that all forms of resource adhere to the same strength of validator, 6448 HTTP exposes the type of validator in use and imposes restrictions on 6449 when weak validators can be used as preconditions. 6451 A "strong validator" is representation metadata that changes value 6452 whenever a change occurs to the representation data that would be 6453 observable in the payload body of a 200 (OK) response to GET. 6455 A strong validator might change for reasons other than a change to 6456 the representation data, such as when a semantically significant part 6457 of the representation metadata is changed (e.g., Content-Type), but 6458 it is in the best interests of the origin server to only change the 6459 value when it is necessary to invalidate the stored responses held by 6460 remote caches and authoring tools. 6462 Cache entries might persist for arbitrarily long periods, regardless 6463 of expiration times. Thus, a cache might attempt to validate an 6464 entry using a validator that it obtained in the distant past. A 6465 strong validator is unique across all versions of all representations 6466 associated with a particular resource over time. However, there is 6467 no implication of uniqueness across representations of different 6468 resources (i.e., the same strong validator might be in use for 6469 representations of multiple resources at the same time and does not 6470 imply that those representations are equivalent). 6472 There are a variety of strong validators used in practice. The best 6473 are based on strict revision control, wherein each change to a 6474 representation always results in a unique node name and revision 6475 identifier being assigned before the representation is made 6476 accessible to GET. A collision-resistant hash function applied to 6477 the representation data is also sufficient if the data is available 6478 prior to the response header fields being sent and the digest does 6479 not need to be recalculated every time a validation request is 6480 received. However, if a resource has distinct representations that 6481 differ only in their metadata, such as might occur with content 6482 negotiation over media types that happen to share the same data 6483 format, then the origin server needs to incorporate additional 6484 information in the validator to distinguish those representations. 6486 In contrast, a "weak validator" is representation metadata that might 6487 not change for every change to the representation data. This 6488 weakness might be due to limitations in how the value is calculated, 6489 such as clock resolution, an inability to ensure uniqueness for all 6490 possible representations of the resource, or a desire of the resource 6491 owner to group representations by some self-determined set of 6492 equivalency rather than unique sequences of data. An origin server 6493 SHOULD change a weak entity-tag whenever it considers prior 6494 representations to be unacceptable as a substitute for the current 6495 representation. In other words, a weak entity-tag ought to change 6496 whenever the origin server wants caches to invalidate old responses. 6498 For example, the representation of a weather report that changes in 6499 content every second, based on dynamic measurements, might be grouped 6500 into sets of equivalent representations (from the origin server's 6501 perspective) with the same weak validator in order to allow cached 6502 representations to be valid for a reasonable period of time (perhaps 6503 adjusted dynamically based on server load or weather quality). 6504 Likewise, a representation's modification time, if defined with only 6505 one-second resolution, might be a weak validator if it is possible 6506 for the representation to be modified twice during a single second 6507 and retrieved between those modifications. 6509 Likewise, a validator is weak if it is shared by two or more 6510 representations of a given resource at the same time, unless those 6511 representations have identical representation data. For example, if 6512 the origin server sends the same validator for a representation with 6513 a gzip content coding applied as it does for a representation with no 6514 content coding, then that validator is weak. However, two 6515 simultaneous representations might share the same strong validator if 6516 they differ only in the representation metadata, such as when two 6517 different media types are available for the same representation data. 6519 Strong validators are usable for all conditional requests, including 6520 cache validation, partial content ranges, and "lost update" 6521 avoidance. Weak validators are only usable when the client does not 6522 require exact equality with previously obtained representation data, 6523 such as when validating a cache entry or limiting a web traversal to 6524 recent changes. 6526 10.2.2. Last-Modified 6528 The "Last-Modified" header field in a response provides a timestamp 6529 indicating the date and time at which the origin server believes the 6530 selected representation was last modified, as determined at the 6531 conclusion of handling the request. 6533 Last-Modified = HTTP-date 6535 An example of its use is 6537 Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT 6539 10.2.2.1. Generation 6541 An origin server SHOULD send Last-Modified for any selected 6542 representation for which a last modification date can be reasonably 6543 and consistently determined, since its use in conditional requests 6544 and evaluating cache freshness ([Caching]) results in a substantial 6545 reduction of HTTP traffic on the Internet and can be a significant 6546 factor in improving service scalability and reliability. 6548 A representation is typically the sum of many parts behind the 6549 resource interface. The last-modified time would usually be the most 6550 recent time that any of those parts were changed. How that value is 6551 determined for any given resource is an implementation detail beyond 6552 the scope of this specification. What matters to HTTP is how 6553 recipients of the Last-Modified header field can use its value to 6554 make conditional requests and test the validity of locally cached 6555 responses. 6557 An origin server SHOULD obtain the Last-Modified value of the 6558 representation as close as possible to the time that it generates the 6559 Date field value for its response. This allows a recipient to make 6560 an accurate assessment of the representation's modification time, 6561 especially if the representation changes near the time that the 6562 response is generated. 6564 An origin server with a clock MUST NOT send a Last-Modified date that 6565 is later than the server's time of message origination (Date). If 6566 the last modification time is derived from implementation-specific 6567 metadata that evaluates to some time in the future, according to the 6568 origin server's clock, then the origin server MUST replace that value 6569 with the message origination date. This prevents a future 6570 modification date from having an adverse impact on cache validation. 6572 An origin server without a clock MUST NOT assign Last-Modified values 6573 to a response unless these values were associated with the resource 6574 by some other system or user with a reliable clock. 6576 10.2.2.2. Comparison 6578 A Last-Modified time, when used as a validator in a request, is 6579 implicitly weak unless it is possible to deduce that it is strong, 6580 using the following rules: 6582 o The validator is being compared by an origin server to the actual 6583 current validator for the representation and, 6585 o That origin server reliably knows that the associated 6586 representation did not change twice during the second covered by 6587 the presented validator. 6589 or 6591 o The validator is about to be used by a client in an If-Modified- 6592 Since, If-Unmodified-Since, or If-Range header field, because the 6593 client has a cache entry for the associated representation, and 6595 o That cache entry includes a Date value, which gives the time when 6596 the origin server sent the original response, and 6598 o The presented Last-Modified time is at least 60 seconds before the 6599 Date value. 6601 or 6603 o The validator is being compared by an intermediate cache to the 6604 validator stored in its cache entry for the representation, and 6606 o That cache entry includes a Date value, which gives the time when 6607 the origin server sent the original response, and 6609 o The presented Last-Modified time is at least 60 seconds before the 6610 Date value. 6612 This method relies on the fact that if two different responses were 6613 sent by the origin server during the same second, but both had the 6614 same Last-Modified time, then at least one of those responses would 6615 have a Date value equal to its Last-Modified time. The arbitrary 6616 60-second limit guards against the possibility that the Date and 6617 Last-Modified values are generated from different clocks or at 6618 somewhat different times during the preparation of the response. An 6619 implementation MAY use a value larger than 60 seconds, if it is 6620 believed that 60 seconds is too short. 6622 10.2.3. ETag 6624 The "ETag" header field in a response provides the current entity-tag 6625 for the selected representation, as determined at the conclusion of 6626 handling the request. An entity-tag is an opaque validator for 6627 differentiating between multiple representations of the same 6628 resource, regardless of whether those multiple representations are 6629 due to resource state changes over time, content negotiation 6630 resulting in multiple representations being valid at the same time, 6631 or both. An entity-tag consists of an opaque quoted string, possibly 6632 prefixed by a weakness indicator. 6634 ETag = entity-tag 6636 entity-tag = [ weak ] opaque-tag 6637 weak = %s"W/" 6638 opaque-tag = DQUOTE *etagc DQUOTE 6639 etagc = %x21 / %x23-7E / obs-text 6640 ; VCHAR except double quotes, plus obs-text 6642 Note: Previously, opaque-tag was defined to be a quoted-string 6643 ([RFC2616], Section 3.11); thus, some recipients might perform 6644 backslash unescaping. Servers therefore ought to avoid backslash 6645 characters in entity tags. 6647 An entity-tag can be more reliable for validation than a modification 6648 date in situations where it is inconvenient to store modification 6649 dates, where the one-second resolution of HTTP date values is not 6650 sufficient, or where modification dates are not consistently 6651 maintained. 6653 Examples: 6655 ETag: "xyzzy" 6656 ETag: W/"xyzzy" 6657 ETag: "" 6659 An entity-tag can be either a weak or strong validator, with strong 6660 being the default. If an origin server provides an entity-tag for a 6661 representation and the generation of that entity-tag does not satisfy 6662 all of the characteristics of a strong validator (Section 10.2.1), 6663 then the origin server MUST mark the entity-tag as weak by prefixing 6664 its opaque value with "W/" (case-sensitive). 6666 10.2.3.1. Generation 6668 The principle behind entity-tags is that only the service author 6669 knows the implementation of a resource well enough to select the most 6670 accurate and efficient validation mechanism for that resource, and 6671 that any such mechanism can be mapped to a simple sequence of octets 6672 for easy comparison. Since the value is opaque, there is no need for 6673 the client to be aware of how each entity-tag is constructed. 6675 For example, a resource that has implementation-specific versioning 6676 applied to all changes might use an internal revision number, perhaps 6677 combined with a variance identifier for content negotiation, to 6678 accurately differentiate between representations. Other 6679 implementations might use a collision-resistant hash of 6680 representation content, a combination of various file attributes, or 6681 a modification timestamp that has sub-second resolution. 6683 An origin server SHOULD send an ETag for any selected representation 6684 for which detection of changes can be reasonably and consistently 6685 determined, since the entity-tag's use in conditional requests and 6686 evaluating cache freshness ([Caching]) can result in a substantial 6687 reduction of HTTP network traffic and can be a significant factor in 6688 improving service scalability and reliability. 6690 10.2.3.2. Comparison 6692 There are two entity-tag comparison functions, depending on whether 6693 or not the comparison context allows the use of weak validators: 6695 o Strong comparison: two entity-tags are equivalent if both are not 6696 weak and their opaque-tags match character-by-character. 6698 o Weak comparison: two entity-tags are equivalent if their opaque- 6699 tags match character-by-character, regardless of either or both 6700 being tagged as "weak". 6702 The example below shows the results for a set of entity-tag pairs and 6703 both the weak and strong comparison function results: 6705 +--------+--------+-------------------+-----------------+ 6706 | ETag 1 | ETag 2 | Strong Comparison | Weak Comparison | 6707 +--------+--------+-------------------+-----------------+ 6708 | W/"1" | W/"1" | no match | match | 6709 | W/"1" | W/"2" | no match | no match | 6710 | W/"1" | "1" | no match | match | 6711 | "1" | "1" | match | match | 6712 +--------+--------+-------------------+-----------------+ 6714 10.2.3.3. Example: Entity-Tags Varying on Content-Negotiated Resources 6716 Consider a resource that is subject to content negotiation 6717 (Section 6.4), and where the representations sent in response to a 6718 GET request vary based on the Accept-Encoding request header field 6719 (Section 8.4.4): 6721 >> Request: 6723 GET /index HTTP/1.1 6724 Host: www.example.com 6725 Accept-Encoding: gzip 6727 In this case, the response might or might not use the gzip content 6728 coding. If it does not, the response might look like: 6730 >> Response: 6732 HTTP/1.1 200 OK 6733 Date: Fri, 26 Mar 2010 00:05:00 GMT 6734 ETag: "123-a" 6735 Content-Length: 70 6736 Vary: Accept-Encoding 6737 Content-Type: text/plain 6739 Hello World! 6740 Hello World! 6741 Hello World! 6742 Hello World! 6743 Hello World! 6745 An alternative representation that does use gzip content coding would 6746 be: 6748 >> Response: 6750 HTTP/1.1 200 OK 6751 Date: Fri, 26 Mar 2010 00:05:00 GMT 6752 ETag: "123-b" 6753 Content-Length: 43 6754 Vary: Accept-Encoding 6755 Content-Type: text/plain 6756 Content-Encoding: gzip 6758 ...binary data... 6760 Note: Content codings are a property of the representation data, 6761 so a strong entity-tag for a content-encoded representation has to 6762 be distinct from the entity tag of an unencoded representation to 6763 prevent potential conflicts during cache updates and range 6764 requests. In contrast, transfer codings (Section 7 of 6765 [Messaging]) apply only during message transfer and do not result 6766 in distinct entity-tags. 6768 10.2.4. When to Use Entity-Tags and Last-Modified Dates 6770 In 200 (OK) responses to GET or HEAD, an origin server: 6772 o SHOULD send an entity-tag validator unless it is not feasible to 6773 generate one. 6775 o MAY send a weak entity-tag instead of a strong entity-tag, if 6776 performance considerations support the use of weak entity-tags, or 6777 if it is unfeasible to send a strong entity-tag. 6779 o SHOULD send a Last-Modified value if it is feasible to send one. 6781 In other words, the preferred behavior for an origin server is to 6782 send both a strong entity-tag and a Last-Modified value in successful 6783 responses to a retrieval request. 6785 A client: 6787 o MUST send that entity-tag in any cache validation request (using 6788 If-Match or If-None-Match) if an entity-tag has been provided by 6789 the origin server. 6791 o SHOULD send the Last-Modified value in non-subrange cache 6792 validation requests (using If-Modified-Since) if only a Last- 6793 Modified value has been provided by the origin server. 6795 o MAY send the Last-Modified value in subrange cache validation 6796 requests (using If-Unmodified-Since) if only a Last-Modified value 6797 has been provided by an HTTP/1.0 origin server. The user agent 6798 SHOULD provide a way to disable this, in case of difficulty. 6800 o SHOULD send both validators in cache validation requests if both 6801 an entity-tag and a Last-Modified value have been provided by the 6802 origin server. This allows both HTTP/1.0 and HTTP/1.1 caches to 6803 respond appropriately. 6805 10.3. Authentication Challenges 6807 Authentication challenges indicate what mechanisms are available for 6808 the client to provide authentication credentials in future requests. 6810 +--------------------+----------------+ 6811 | Header Field Name | Defined in... | 6812 +--------------------+----------------+ 6813 | WWW-Authenticate | Section 10.3.1 | 6814 | Proxy-Authenticate | Section 10.3.2 | 6815 +--------------------+----------------+ 6816 Furthermore, the "Authentication-Info" and "Proxy-Authentication- 6817 Info" response header fields are defined for use in authentication 6818 schemes that need to return information once the client's 6819 authentication credentials have been accepted. 6821 +---------------------------+----------------+ 6822 | Header Field Name | Defined in... | 6823 +---------------------------+----------------+ 6824 | Authentication-Info | Section 10.3.3 | 6825 | Proxy-Authentication-Info | Section 10.3.4 | 6826 +---------------------------+----------------+ 6828 10.3.1. WWW-Authenticate 6830 The "WWW-Authenticate" header field indicates the authentication 6831 scheme(s) and parameters applicable to the target resource. 6833 WWW-Authenticate = 1#challenge 6835 A server generating a 401 (Unauthorized) response MUST send a WWW- 6836 Authenticate header field containing at least one challenge. A 6837 server MAY generate a WWW-Authenticate header field in other response 6838 messages to indicate that supplying credentials (or different 6839 credentials) might affect the response. 6841 A proxy forwarding a response MUST NOT modify any WWW-Authenticate 6842 fields in that response. 6844 User agents are advised to take special care in parsing the field 6845 value, as it might contain more than one challenge, and each 6846 challenge can contain a comma-separated list of authentication 6847 parameters. Furthermore, the header field itself can occur multiple 6848 times. 6850 For instance: 6852 WWW-Authenticate: Newauth realm="apps", type=1, 6853 title="Login to \"apps\"", Basic realm="simple" 6855 This header field contains two challenges; one for the "Newauth" 6856 scheme with a realm value of "apps", and two additional parameters 6857 "type" and "title", and another one for the "Basic" scheme with a 6858 realm value of "simple". 6860 Note: The challenge grammar production uses the list syntax as 6861 well. Therefore, a sequence of comma, whitespace, and comma can 6862 be considered either as applying to the preceding challenge, or to 6863 be an empty entry in the list of challenges. In practice, this 6864 ambiguity does not affect the semantics of the header field value 6865 and thus is harmless. 6867 10.3.2. Proxy-Authenticate 6869 The "Proxy-Authenticate" header field consists of at least one 6870 challenge that indicates the authentication scheme(s) and parameters 6871 applicable to the proxy for this effective request URI (Section 5.3). 6872 A proxy MUST send at least one Proxy-Authenticate header field in 6873 each 407 (Proxy Authentication Required) response that it generates. 6875 Proxy-Authenticate = 1#challenge 6877 Unlike WWW-Authenticate, the Proxy-Authenticate header field applies 6878 only to the next outbound client on the response chain. This is 6879 because only the client that chose a given proxy is likely to have 6880 the credentials necessary for authentication. However, when multiple 6881 proxies are used within the same administrative domain, such as 6882 office and regional caching proxies within a large corporate network, 6883 it is common for credentials to be generated by the user agent and 6884 passed through the hierarchy until consumed. Hence, in such a 6885 configuration, it will appear as if Proxy-Authenticate is being 6886 forwarded because each proxy will send the same challenge set. 6888 Note that the parsing considerations for WWW-Authenticate apply to 6889 this header field as well; see Section 10.3.1 for details. 6891 10.3.3. Authentication-Info 6893 HTTP authentication schemes can use the Authentication-Info response 6894 header field to communicate information after the client's 6895 authentication credentials have been accepted. This information can 6896 include a finalization message from the server (e.g., it can contain 6897 the server authentication). 6899 The field value is a list of parameters (name/value pairs), using the 6900 "auth-param" syntax defined in Section 8.5.1. This specification 6901 only describes the generic format; authentication schemes using 6902 Authentication-Info will define the individual parameters. The 6903 "Digest" Authentication Scheme, for instance, defines multiple 6904 parameters in Section 3.5 of [RFC7616]. 6906 Authentication-Info = #auth-param 6908 The Authentication-Info header field can be used in any HTTP 6909 response, independently of request method and status code. Its 6910 semantics are defined by the authentication scheme indicated by the 6911 Authorization header field (Section 8.5.3) of the corresponding 6912 request. 6914 A proxy forwarding a response is not allowed to modify the field 6915 value in any way. 6917 Authentication-Info can be used inside trailers (Section 7.1.2 of 6918 [Messaging]) when the authentication scheme explicitly allows this. 6920 10.3.3.1. Parameter Value Format 6922 Parameter values can be expressed either as "token" or as "quoted- 6923 string" (Section 4.2.3). 6925 Authentication scheme definitions need to allow both notations, both 6926 for senders and recipients. This allows recipients to use generic 6927 parsing components, independent of the authentication scheme in use. 6929 For backwards compatibility, authentication scheme definitions can 6930 restrict the format for senders to one of the two variants. This can 6931 be important when it is known that deployed implementations will fail 6932 when encountering one of the two formats. 6934 10.3.4. Proxy-Authentication-Info 6936 The Proxy-Authentication-Info response header field is equivalent to 6937 Authentication-Info, except that it applies to proxy authentication 6938 (Section 8.5.1) and its semantics are defined by the authentication 6939 scheme indicated by the Proxy-Authorization header field 6940 (Section 8.5.4) of the corresponding request: 6942 Proxy-Authentication-Info = #auth-param 6944 However, unlike Authentication-Info, the Proxy-Authentication-Info 6945 header field applies only to the next outbound client on the response 6946 chain. This is because only the client that chose a given proxy is 6947 likely to have the credentials necessary for authentication. 6948 However, when multiple proxies are used within the same 6949 administrative domain, such as office and regional caching proxies 6950 within a large corporate network, it is common for credentials to be 6951 generated by the user agent and passed through the hierarchy until 6952 consumed. Hence, in such a configuration, it will appear as if 6953 Proxy-Authentication-Info is being forwarded because each proxy will 6954 send the same field value. 6956 10.4. Response Context 6958 The remaining response header fields provide more information about 6959 the target resource for potential use in later requests. 6961 +-------------------+----------------+ 6962 | Header Field Name | Defined in... | 6963 +-------------------+----------------+ 6964 | Accept-Ranges | Section 10.4.1 | 6965 | Allow | Section 10.4.2 | 6966 | Server | Section 10.4.3 | 6967 +-------------------+----------------+ 6969 10.4.1. Accept-Ranges 6971 The "Accept-Ranges" header field allows a server to indicate that it 6972 supports range requests for the target resource. 6974 Accept-Ranges = acceptable-ranges 6975 acceptable-ranges = 1#range-unit / "none" 6977 An origin server that supports byte-range requests for a given target 6978 resource MAY send 6980 Accept-Ranges: bytes 6982 to indicate what range units are supported. A client MAY generate 6983 range requests without having received this header field for the 6984 resource involved. Range units are defined in Section 6.1.4. 6986 A server that does not support any kind of range request for the 6987 target resource MAY send 6989 Accept-Ranges: none 6991 to advise the client not to attempt a range request. 6993 10.4.2. Allow 6995 The "Allow" header field lists the set of methods advertised as 6996 supported by the target resource. The purpose of this field is 6997 strictly to inform the recipient of valid request methods associated 6998 with the resource. 7000 Allow = #method 7002 Example of use: 7004 Allow: GET, HEAD, PUT 7006 The actual set of allowed methods is defined by the origin server at 7007 the time of each request. An origin server MUST generate an Allow 7008 field in a 405 (Method Not Allowed) response and MAY do so in any 7009 other response. An empty Allow field value indicates that the 7010 resource allows no methods, which might occur in a 405 response if 7011 the resource has been temporarily disabled by configuration. 7013 A proxy MUST NOT modify the Allow header field -- it does not need to 7014 understand all of the indicated methods in order to handle them 7015 according to the generic message handling rules. 7017 10.4.3. Server 7019 The "Server" header field contains information about the software 7020 used by the origin server to handle the request, which is often used 7021 by clients to help identify the scope of reported interoperability 7022 problems, to work around or tailor requests to avoid particular 7023 server limitations, and for analytics regarding server or operating 7024 system use. An origin server MAY generate a Server field in its 7025 responses. 7027 Server = product *( RWS ( product / comment ) ) 7029 The Server field-value consists of one or more product identifiers, 7030 each followed by zero or more comments (Section 5 of [Messaging]), 7031 which together identify the origin server software and its 7032 significant subproducts. By convention, the product identifiers are 7033 listed in decreasing order of their significance for identifying the 7034 origin server software. Each product identifier consists of a name 7035 and optional version, as defined in Section 8.6.3. 7037 Example: 7039 Server: CERN/3.0 libwww/2.17 7041 An origin server SHOULD NOT generate a Server field containing 7042 needlessly fine-grained detail and SHOULD limit the addition of 7043 subproducts by third parties. Overly long and detailed Server field 7044 values increase response latency and potentially reveal internal 7045 implementation details that might make it (slightly) easier for 7046 attackers to find and exploit known security holes. 7048 11. ABNF List Extension: #rule 7050 A #rule extension to the ABNF rules of [RFC5234] is used to improve 7051 readability in the definitions of some header field values. 7053 A construct "#" is defined, similar to "*", for defining comma- 7054 delimited lists of elements. The full form is "#element" 7055 indicating at least and at most elements, each separated by a 7056 single comma (",") and optional whitespace (OWS). 7058 11.1. Sender Requirements 7060 In any production that uses the list construct, a sender MUST NOT 7061 generate empty list elements. In other words, a sender MUST generate 7062 lists that satisfy the following syntax: 7064 1#element => element *( OWS "," OWS element ) 7066 and: 7068 #element => [ 1#element ] 7070 and for n >= 1 and m > 1: 7072 #element => element *( OWS "," OWS element ) 7074 11.2. Recipient Requirements 7076 Empty elements do not contribute to the count of elements present. A 7077 recipient MUST parse and ignore a reasonable number of empty list 7078 elements: enough to handle common mistakes by senders that merge 7079 values, but not so much that they could be used as a denial-of- 7080 service mechanism. In other words, a recipient MUST accept lists 7081 that satisfy the following syntax: 7083 #element => [ element ] *( OWS "," OWS [ element ] ) 7085 Note that because of the potential presence of empty list elements, 7086 the RFC 5234 ABNF cannot enforce the cardinality of list elements, 7087 and consequently all cases are mapped is if there was no cardinality 7088 specified. 7090 For example, given these ABNF productions: 7092 example-list = 1#example-list-elmt 7093 example-list-elmt = token ; see Section 4.2.3 7095 Then the following are valid values for example-list (not including 7096 the double quotes, which are present for delimitation only): 7098 "foo,bar" 7099 "foo ,bar," 7100 "foo , ,bar,charlie" 7102 In contrast, the following values would be invalid, since at least 7103 one non-empty element is required by the example-list production: 7105 "" 7106 "," 7107 ", ," 7109 Appendix A shows the collected ABNF for recipients after the list 7110 constructs have been expanded. 7112 12. Security Considerations 7114 This section is meant to inform developers, information providers, 7115 and users of known security concerns relevant to HTTP semantics and 7116 its use for transferring information over the Internet. 7117 Considerations related to message syntax, parsing, and routing are 7118 discussed in Section 11 of [Messaging]. 7120 The list of considerations below is not exhaustive. Most security 7121 concerns related to HTTP semantics are about securing server-side 7122 applications (code behind the HTTP interface), securing user agent 7123 processing of payloads received via HTTP, or secure use of the 7124 Internet in general, rather than security of the protocol. Various 7125 organizations maintain topical information and links to current 7126 research on Web application security (e.g., [OWASP]). 7128 12.1. Establishing Authority 7130 HTTP relies on the notion of an authoritative response: a response 7131 that has been determined by (or at the direction of) the authority 7132 identified within the target URI to be the most appropriate response 7133 for that request given the state of the target resource at the time 7134 of response message origination. Providing a response from a non- 7135 authoritative source, such as a shared cache, is often useful to 7136 improve performance and availability, but only to the extent that the 7137 source can be trusted or the distrusted response can be safely used. 7139 Unfortunately, establishing authority can be difficult. For example, 7140 phishing is an attack on the user's perception of authority, where 7141 that perception can be misled by presenting similar branding in 7142 hypertext, possibly aided by userinfo obfuscating the authority 7143 component (see Section 2.5.1). User agents can reduce the impact of 7144 phishing attacks by enabling users to easily inspect a target URI 7145 prior to making an action, by prominently distinguishing (or 7146 rejecting) userinfo when present, and by not sending stored 7147 credentials and cookies when the referring document is from an 7148 unknown or untrusted source. 7150 When a registered name is used in the authority component, the "http" 7151 URI scheme (Section 2.5.1) relies on the user's local name resolution 7152 service to determine where it can find authoritative responses. This 7153 means that any attack on a user's network host table, cached names, 7154 or name resolution libraries becomes an avenue for attack on 7155 establishing authority. Likewise, the user's choice of server for 7156 Domain Name Service (DNS), and the hierarchy of servers from which it 7157 obtains resolution results, could impact the authenticity of address 7158 mappings; DNS Security Extensions (DNSSEC, [RFC4033]) are one way to 7159 improve authenticity. 7161 Furthermore, after an IP address is obtained, establishing authority 7162 for an "http" URI is vulnerable to attacks on Internet Protocol 7163 routing. 7165 The "https" scheme (Section 2.5.2) is intended to prevent (or at 7166 least reveal) many of these potential attacks on establishing 7167 authority, provided that the negotiated TLS connection is secured and 7168 the client properly verifies that the communicating server's identity 7169 matches the target URI's authority component (see [RFC2818]). 7170 Correctly implementing such verification can be difficult (see 7171 [Georgiev]). 7173 12.2. Risks of Intermediaries 7175 By their very nature, HTTP intermediaries are men-in-the-middle and, 7176 thus, represent an opportunity for man-in-the-middle attacks. 7177 Compromise of the systems on which the intermediaries run can result 7178 in serious security and privacy problems. Intermediaries might have 7179 access to security-related information, personal information about 7180 individual users and organizations, and proprietary information 7181 belonging to users and content providers. A compromised 7182 intermediary, or an intermediary implemented or configured without 7183 regard to security and privacy considerations, might be used in the 7184 commission of a wide range of potential attacks. 7186 Intermediaries that contain a shared cache are especially vulnerable 7187 to cache poisoning attacks, as described in Section 7 of [Caching]. 7189 Implementers need to consider the privacy and security implications 7190 of their design and coding decisions, and of the configuration 7191 options they provide to operators (especially the default 7192 configuration). 7194 Users need to be aware that intermediaries are no more trustworthy 7195 than the people who run them; HTTP itself cannot solve this problem. 7197 12.3. Attacks Based on File and Path Names 7199 Origin servers frequently make use of their local file system to 7200 manage the mapping from effective request URI to resource 7201 representations. Most file systems are not designed to protect 7202 against malicious file or path names. Therefore, an origin server 7203 needs to avoid accessing names that have a special significance to 7204 the system when mapping the request target to files, folders, or 7205 directories. 7207 For example, UNIX, Microsoft Windows, and other operating systems use 7208 ".." as a path component to indicate a directory level above the 7209 current one, and they use specially named paths or file names to send 7210 data to system devices. Similar naming conventions might exist 7211 within other types of storage systems. Likewise, local storage 7212 systems have an annoying tendency to prefer user-friendliness over 7213 security when handling invalid or unexpected characters, 7214 recomposition of decomposed characters, and case-normalization of 7215 case-insensitive names. 7217 Attacks based on such special names tend to focus on either denial- 7218 of-service (e.g., telling the server to read from a COM port) or 7219 disclosure of configuration and source files that are not meant to be 7220 served. 7222 12.4. Attacks Based on Command, Code, or Query Injection 7224 Origin servers often use parameters within the URI as a means of 7225 identifying system services, selecting database entries, or choosing 7226 a data source. However, data received in a request cannot be 7227 trusted. An attacker could construct any of the request data 7228 elements (method, request-target, header fields, or body) to contain 7229 data that might be misinterpreted as a command, code, or query when 7230 passed through a command invocation, language interpreter, or 7231 database interface. 7233 For example, SQL injection is a common attack wherein additional 7234 query language is inserted within some part of the request-target or 7235 header fields (e.g., Host, Referer, etc.). If the received data is 7236 used directly within a SELECT statement, the query language might be 7237 interpreted as a database command instead of a simple string value. 7239 This type of implementation vulnerability is extremely common, in 7240 spite of being easy to prevent. 7242 In general, resource implementations ought to avoid use of request 7243 data in contexts that are processed or interpreted as instructions. 7244 Parameters ought to be compared to fixed strings and acted upon as a 7245 result of that comparison, rather than passed through an interface 7246 that is not prepared for untrusted data. Received data that isn't 7247 based on fixed parameters ought to be carefully filtered or encoded 7248 to avoid being misinterpreted. 7250 Similar considerations apply to request data when it is stored and 7251 later processed, such as within log files, monitoring tools, or when 7252 included within a data format that allows embedded scripts. 7254 12.5. Attacks via Protocol Element Length 7256 Because HTTP uses mostly textual, character-delimited fields, parsers 7257 are often vulnerable to attacks based on sending very long (or very 7258 slow) streams of data, particularly where an implementation is 7259 expecting a protocol element with no predefined length (Section 3.3). 7261 To promote interoperability, specific recommendations are made for 7262 minimum size limits on request-line (Section 3 of [Messaging]) and 7263 header fields (Section 5 of [Messaging]). These are minimum 7264 recommendations, chosen to be supportable even by implementations 7265 with limited resources; it is expected that most implementations will 7266 choose substantially higher limits. 7268 A server can reject a message that has a request-target that is too 7269 long (Section 9.5.15) or a request payload that is too large 7270 (Section 9.5.14). Additional status codes related to capacity limits 7271 have been defined by extensions to HTTP [RFC6585]. 7273 Recipients ought to carefully limit the extent to which they process 7274 other protocol elements, including (but not limited to) request 7275 methods, response status phrases, header field-names, numeric values, 7276 and body chunks. Failure to limit such processing can result in 7277 buffer overflows, arithmetic overflows, or increased vulnerability to 7278 denial-of-service attacks. 7280 12.6. Disclosure of Personal Information 7282 Clients are often privy to large amounts of personal information, 7283 including both information provided by the user to interact with 7284 resources (e.g., the user's name, location, mail address, passwords, 7285 encryption keys, etc.) and information about the user's browsing 7286 activity over time (e.g., history, bookmarks, etc.). Implementations 7287 need to prevent unintentional disclosure of personal information. 7289 12.7. Privacy of Server Log Information 7291 A server is in the position to save personal data about a user's 7292 requests over time, which might identify their reading patterns or 7293 subjects of interest. In particular, log information gathered at an 7294 intermediary often contains a history of user agent interaction, 7295 across a multitude of sites, that can be traced to individual users. 7297 HTTP log information is confidential in nature; its handling is often 7298 constrained by laws and regulations. Log information needs to be 7299 securely stored and appropriate guidelines followed for its analysis. 7300 Anonymization of personal information within individual entries 7301 helps, but it is generally not sufficient to prevent real log traces 7302 from being re-identified based on correlation with other access 7303 characteristics. As such, access traces that are keyed to a specific 7304 client are unsafe to publish even if the key is pseudonymous. 7306 To minimize the risk of theft or accidental publication, log 7307 information ought to be purged of personally identifiable 7308 information, including user identifiers, IP addresses, and user- 7309 provided query parameters, as soon as that information is no longer 7310 necessary to support operational needs for security, auditing, or 7311 fraud control. 7313 12.8. Disclosure of Sensitive Information in URIs 7315 URIs are intended to be shared, not secured, even when they identify 7316 secure resources. URIs are often shown on displays, added to 7317 templates when a page is printed, and stored in a variety of 7318 unprotected bookmark lists. It is therefore unwise to include 7319 information within a URI that is sensitive, personally identifiable, 7320 or a risk to disclose. 7322 Authors of services ought to avoid GET-based forms for the submission 7323 of sensitive data because that data will be placed in the request- 7324 target. Many existing servers, proxies, and user agents log or 7325 display the request-target in places where it might be visible to 7326 third parties. Such services ought to use POST-based form submission 7327 instead. 7329 Since the Referer header field tells a target site about the context 7330 that resulted in a request, it has the potential to reveal 7331 information about the user's immediate browsing history and any 7332 personal information that might be found in the referring resource's 7333 URI. Limitations on the Referer header field are described in 7334 Section 8.6.2 to address some of its security considerations. 7336 12.9. Disclosure of Fragment after Redirects 7338 Although fragment identifiers used within URI references are not sent 7339 in requests, implementers ought to be aware that they will be visible 7340 to the user agent and any extensions or scripts running as a result 7341 of the response. In particular, when a redirect occurs and the 7342 original request's fragment identifier is inherited by the new 7343 reference in Location (Section 10.1.2), this might have the effect of 7344 disclosing one site's fragment to another site. If the first site 7345 uses personal information in fragments, it ought to ensure that 7346 redirects to other sites include a (possibly empty) fragment 7347 component in order to block that inheritance. 7349 12.10. Disclosure of Product Information 7351 The User-Agent (Section 8.6.3), Via (Section 5.5.1), and Server 7352 (Section 10.4.3) header fields often reveal information about the 7353 respective sender's software systems. In theory, this can make it 7354 easier for an attacker to exploit known security holes; in practice, 7355 attackers tend to try all potential holes regardless of the apparent 7356 software versions being used. 7358 Proxies that serve as a portal through a network firewall ought to 7359 take special precautions regarding the transfer of header information 7360 that might identify hosts behind the firewall. The Via header field 7361 allows intermediaries to replace sensitive machine names with 7362 pseudonyms. 7364 12.11. Browser Fingerprinting 7366 Browser fingerprinting is a set of techniques for identifying a 7367 specific user agent over time through its unique set of 7368 characteristics. These characteristics might include information 7369 related to its TCP behavior, feature capabilities, and scripting 7370 environment, though of particular interest here is the set of unique 7371 characteristics that might be communicated via HTTP. Fingerprinting 7372 is considered a privacy concern because it enables tracking of a user 7373 agent's behavior over time without the corresponding controls that 7374 the user might have over other forms of data collection (e.g., 7375 cookies). Many general-purpose user agents (i.e., Web browsers) have 7376 taken steps to reduce their fingerprints. 7378 There are a number of request header fields that might reveal 7379 information to servers that is sufficiently unique to enable 7380 fingerprinting. The From header field is the most obvious, though it 7381 is expected that From will only be sent when self-identification is 7382 desired by the user. Likewise, Cookie header fields are deliberately 7383 designed to enable re-identification, so fingerprinting concerns only 7384 apply to situations where cookies are disabled or restricted by the 7385 user agent's configuration. 7387 The User-Agent header field might contain enough information to 7388 uniquely identify a specific device, usually when combined with other 7389 characteristics, particularly if the user agent sends excessive 7390 details about the user's system or extensions. However, the source 7391 of unique information that is least expected by users is proactive 7392 negotiation (Section 8.4), including the Accept, Accept-Charset, 7393 Accept-Encoding, and Accept-Language header fields. 7395 In addition to the fingerprinting concern, detailed use of the 7396 Accept-Language header field can reveal information the user might 7397 consider to be of a private nature. For example, understanding a 7398 given language set might be strongly correlated to membership in a 7399 particular ethnic group. An approach that limits such loss of 7400 privacy would be for a user agent to omit the sending of Accept- 7401 Language except for sites that have been whitelisted, perhaps via 7402 interaction after detecting a Vary header field that indicates 7403 language negotiation might be useful. 7405 In environments where proxies are used to enhance privacy, user 7406 agents ought to be conservative in sending proactive negotiation 7407 header fields. General-purpose user agents that provide a high 7408 degree of header field configurability ought to inform users about 7409 the loss of privacy that might result if too much detail is provided. 7410 As an extreme privacy measure, proxies could filter the proactive 7411 negotiation header fields in relayed requests. 7413 12.12. Validator Retention 7415 The validators defined by this specification are not intended to 7416 ensure the validity of a representation, guard against malicious 7417 changes, or detect man-in-the-middle attacks. At best, they enable 7418 more efficient cache updates and optimistic concurrent writes when 7419 all participants are behaving nicely. At worst, the conditions will 7420 fail and the client will receive a response that is no more harmful 7421 than an HTTP exchange without conditional requests. 7423 An entity-tag can be abused in ways that create privacy risks. For 7424 example, a site might deliberately construct a semantically invalid 7425 entity-tag that is unique to the user or user agent, send it in a 7426 cacheable response with a long freshness time, and then read that 7427 entity-tag in later conditional requests as a means of re-identifying 7428 that user or user agent. Such an identifying tag would become a 7429 persistent identifier for as long as the user agent retained the 7430 original cache entry. User agents that cache representations ought 7431 to ensure that the cache is cleared or replaced whenever the user 7432 performs privacy-maintaining actions, such as clearing stored cookies 7433 or changing to a private browsing mode. 7435 12.13. Denial-of-Service Attacks Using Range 7437 Unconstrained multiple range requests are susceptible to denial-of- 7438 service attacks because the effort required to request many 7439 overlapping ranges of the same data is tiny compared to the time, 7440 memory, and bandwidth consumed by attempting to serve the requested 7441 data in many parts. Servers ought to ignore, coalesce, or reject 7442 egregious range requests, such as requests for more than two 7443 overlapping ranges or for many small ranges in a single set, 7444 particularly when the ranges are requested out of order for no 7445 apparent reason. Multipart range requests are not designed to 7446 support random access. 7448 12.14. Authentication Considerations 7450 Everything about the topic of HTTP authentication is a security 7451 consideration, so the list of considerations below is not exhaustive. 7452 Furthermore, it is limited to security considerations regarding the 7453 authentication framework, in general, rather than discussing all of 7454 the potential considerations for specific authentication schemes 7455 (which ought to be documented in the specifications that define those 7456 schemes). Various organizations maintain topical information and 7457 links to current research on Web application security (e.g., 7458 [OWASP]), including common pitfalls for implementing and using the 7459 authentication schemes found in practice. 7461 12.14.1. Confidentiality of Credentials 7463 The HTTP authentication framework does not define a single mechanism 7464 for maintaining the confidentiality of credentials; instead, each 7465 authentication scheme defines how the credentials are encoded prior 7466 to transmission. While this provides flexibility for the development 7467 of future authentication schemes, it is inadequate for the protection 7468 of existing schemes that provide no confidentiality on their own, or 7469 that do not sufficiently protect against replay attacks. 7470 Furthermore, if the server expects credentials that are specific to 7471 each individual user, the exchange of those credentials will have the 7472 effect of identifying that user even if the content within 7473 credentials remains confidential. 7475 HTTP depends on the security properties of the underlying transport- 7476 or session-level connection to provide confidential transmission of 7477 header fields. In other words, if a server limits access to 7478 authenticated users using this framework, the server needs to ensure 7479 that the connection is properly secured in accordance with the nature 7480 of the authentication scheme used. For example, services that depend 7481 on individual user authentication often require a connection to be 7482 secured with TLS ("Transport Layer Security", [RFC5246]) prior to 7483 exchanging any credentials. 7485 12.14.2. Credentials and Idle Clients 7487 Existing HTTP clients and user agents typically retain authentication 7488 information indefinitely. HTTP does not provide a mechanism for the 7489 origin server to direct clients to discard these cached credentials, 7490 since the protocol has no awareness of how credentials are obtained 7491 or managed by the user agent. The mechanisms for expiring or 7492 revoking credentials can be specified as part of an authentication 7493 scheme definition. 7495 Circumstances under which credential caching can interfere with the 7496 application's security model include but are not limited to: 7498 o Clients that have been idle for an extended period, following 7499 which the server might wish to cause the client to re-prompt the 7500 user for credentials. 7502 o Applications that include a session termination indication (such 7503 as a "logout" or "commit" button on a page) after which the server 7504 side of the application "knows" that there is no further reason 7505 for the client to retain the credentials. 7507 User agents that cache credentials are encouraged to provide a 7508 readily accessible mechanism for discarding cached credentials under 7509 user control. 7511 12.14.3. Protection Spaces 7513 Authentication schemes that solely rely on the "realm" mechanism for 7514 establishing a protection space will expose credentials to all 7515 resources on an origin server. Clients that have successfully made 7516 authenticated requests with a resource can use the same 7517 authentication credentials for other resources on the same origin 7518 server. This makes it possible for a different resource to harvest 7519 authentication credentials for other resources. 7521 This is of particular concern when an origin server hosts resources 7522 for multiple parties under the same canonical root URI 7523 (Section 8.5.2). Possible mitigation strategies include restricting 7524 direct access to authentication credentials (i.e., not making the 7525 content of the Authorization request header field available), and 7526 separating protection spaces by using a different host name (or port 7527 number) for each party. 7529 12.14.4. Additional Response Header Fields 7531 Adding information to responses that are sent over an unencrypted 7532 channel can affect security and privacy. The presence of the 7533 Authentication-Info and Proxy-Authentication-Info header fields alone 7534 indicates that HTTP authentication is in use. Additional information 7535 could be exposed by the contents of the authentication-scheme 7536 specific parameters; this will have to be considered in the 7537 definitions of these schemes. 7539 13. IANA Considerations 7541 The change controller for the following registrations is: "IETF 7542 (iesg@ietf.org) - Internet Engineering Task Force". 7544 13.1. URI Scheme Registration 7546 Please update the registry of URI Schemes [BCP35] at 7547 with the permanent 7548 schemes listed in the first table of Section 2.5. 7550 13.2. Method Registration 7552 Please update the "Hypertext Transfer Protocol (HTTP) Method 7553 Registry" at with the 7554 registration procedure of Section 7.4.1 and the method names 7555 summarized in the table of Section 7.2. 7557 13.3. Status Code Registration 7559 Please update the "Hypertext Transfer Protocol (HTTP) Status Code 7560 Registry" at 7561 with the registration procedure of Section 9.7.1 and the status code 7562 values summarized in the table of Section 9.1. 7564 Additionally, please update the following entry in the Hypertext 7565 Transfer Protocol (HTTP) Status Code Registry: 7567 Value: 418 7569 Description: (Unused) 7571 Reference Section 9.5.19 7573 13.4. Header Field Registration 7575 Please create a new registry as outlined in Section 4.1.1. 7577 After creating the registry, all entries in the Permanent and 7578 Provisional Message Header Registries with the protocol 'http' are to 7579 be moved to it, with the following changes applied: 7581 1. The 'Applicable Protocol' field is to be omitted. 7583 2. Entries with a status of 'standard', 'experimental', or 7584 'informational' are to have a status of 'permanent'. 7586 3. Provisional entries without a status are to have a status of 7587 'provisional'. 7589 4. Permanent entries without a status (after confirmation that the 7590 registration document did not define one) will have a status of 7591 'provisional'. The Expert(s) can choose to update their status 7592 if there is evidence that another is more appropriate. 7594 Please annotate the Permanent and Provisional Message Header 7595 registries to indicate that HTTP header field registrations have 7596 moved, with an appropriate link. 7598 After that is complete, please update the new registry with the 7599 header field names listed in the table of Section 4.1. 7601 Finally, please update the "Content-MD5" entry in the new registry to 7602 have a status of 'obsoleted' with references to Section 14.15 of 7603 [RFC2616] (for the definition of the header field) and Appendix B of 7604 [RFC7231] (which removed the field definition from the updated 7605 specification). 7607 13.5. Authentication Scheme Registration 7609 Please update the "Hypertext Transfer Protocol (HTTP) Authentication 7610 Scheme Registry" at with the registration procedure of Section 8.5.5.1. No 7612 authentication schemes are defined in this document. 7614 13.6. Content Coding Registration 7616 Please update the "HTTP Content Coding Registry" at 7617 with the 7618 registration procedure of Section 6.1.2.4.1 and the content coding 7619 names summarized in the table of Section 6.1.2. 7621 13.7. Range Unit Registration 7623 Please update the "HTTP Range Unit Registry" at 7624 with the 7625 registration procedure of Section 6.1.4.3 and the range unit names 7626 summarized in the table of Section 6.1.4. 7628 13.8. Media Type Registration 7630 Please update the "Media Types" registry at 7631 with the registration 7632 information in Section 6.3.4 for the media type "multipart/ 7633 byteranges". 7635 14. References 7637 14.1. Normative References 7639 [Caching] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 7640 Ed., "HTTP Caching", draft-ietf-httpbis-cache-05 (work in 7641 progress), July 2019. 7643 [Messaging] 7644 Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 7645 Ed., "HTTP/1.1 Messaging", draft-ietf-httpbis-messaging-05 7646 (work in progress), July 2019. 7648 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 7649 RFC 793, DOI 10.17487/RFC0793, September 1981, 7650 . 7652 [RFC1950] Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data Format 7653 Specification version 3.3", RFC 1950, 7654 DOI 10.17487/RFC1950, May 1996, 7655 . 7657 [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification 7658 version 1.3", RFC 1951, DOI 10.17487/RFC1951, May 1996, 7659 . 7661 [RFC1952] Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and G. 7662 Randers-Pehrson, "GZIP file format specification version 7663 4.3", RFC 1952, DOI 10.17487/RFC1952, May 1996, 7664 . 7666 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 7667 Extensions (MIME) Part One: Format of Internet Message 7668 Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, 7669 . 7671 [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 7672 Extensions (MIME) Part Two: Media Types", RFC 2046, 7673 DOI 10.17487/RFC2046, November 1996, 7674 . 7676 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 7677 Requirement Levels", BCP 14, RFC 2119, 7678 DOI 10.17487/RFC2119, March 1997, 7679 . 7681 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 7682 Resource Identifier (URI): Generic Syntax", STD 66, 7683 RFC 3986, DOI 10.17487/RFC3986, January 2005, 7684 . 7686 [RFC4647] Phillips, A., Ed. and M. Davis, Ed., "Matching of Language 7687 Tags", BCP 47, RFC 4647, DOI 10.17487/RFC4647, September 7688 2006, . 7690 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 7691 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 7692 . 7694 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 7695 Specifications: ABNF", STD 68, RFC 5234, 7696 DOI 10.17487/RFC5234, January 2008, 7697 . 7699 [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying 7700 Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, 7701 September 2009, . 7703 [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in 7704 Internationalization in the IETF", BCP 166, RFC 6365, 7705 DOI 10.17487/RFC6365, September 2011, 7706 . 7708 [RFC7405] Kyzivat, P., "Case-Sensitive String Support in ABNF", 7709 RFC 7405, DOI 10.17487/RFC7405, December 2014, 7710 . 7712 [USASCII] American National Standards Institute, "Coded Character 7713 Set -- 7-bit American Standard Code for Information 7714 Interchange", ANSI X3.4, 1986. 7716 [Welch] Welch, T., "A Technique for High-Performance Data 7717 Compression", IEEE Computer 17(6), 7718 DOI 10.1109/MC.1984.1659158, June 1984, 7719 . 7721 14.2. Informative References 7723 [BCP13] Freed, N., Klensin, J., and T. Hansen, "Media Type 7724 Specifications and Registration Procedures", BCP 13, 7725 RFC 6838, January 2013, 7726 . 7728 [BCP178] Saint-Andre, P., Crocker, D., and M. Nottingham, 7729 "Deprecating the "X-" Prefix and Similar Constructs in 7730 Application Protocols", BCP 178, RFC 6648, June 2012, 7731 . 7733 [BCP35] Thaler, D., Ed., Hansen, T., and T. Hardie, "Guidelines 7734 and Registration Procedures for URI Schemes", BCP 35, 7735 RFC 7595, June 2015, 7736 . 7738 [BCP90] Klyne, G., Nottingham, M., and J. Mogul, "Registration 7739 Procedures for Message Header Fields", BCP 90, RFC 3864, 7740 September 2004, . 7742 [Err1912] RFC Errata, Erratum ID 1912, RFC 2978, 7743 . 7745 [Err5433] RFC Errata, Erratum ID 5433, RFC 2978, 7746 . 7748 [Georgiev] 7749 Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, 7750 D., and V. Shmatikov, "The Most Dangerous Code in the 7751 World: Validating SSL Certificates in Non-browser 7752 Software", In Proceedings of the 2012 ACM Conference on 7753 Computer and Communications Security (CCS '12), pp. 38-49, 7754 October 2012, 7755 . 7757 [ISO-8859-1] 7758 International Organization for Standardization, 7759 "Information technology -- 8-bit single-byte coded graphic 7760 character sets -- Part 1: Latin alphabet No. 1", ISO/ 7761 IEC 8859-1:1998, 1998. 7763 [Kri2001] Kristol, D., "HTTP Cookies: Standards, Privacy, and 7764 Politics", ACM Transactions on Internet Technology 1(2), 7765 November 2001, . 7767 [OWASP] van der Stock, A., Ed., "A Guide to Building Secure Web 7768 Applications and Web Services", The Open Web Application 7769 Security Project (OWASP) 2.0.1, July 2005, 7770 . 7772 [REST] Fielding, R., "Architectural Styles and the Design of 7773 Network-based Software Architectures", 7774 Doctoral Dissertation, University of California, Irvine, 7775 September 2000, 7776 . 7778 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 7779 RFC 1919, DOI 10.17487/RFC1919, March 1996, 7780 . 7782 [RFC1945] Berners-Lee, T., Fielding, R., and H. Nielsen, "Hypertext 7783 Transfer Protocol -- HTTP/1.0", RFC 1945, 7784 DOI 10.17487/RFC1945, May 1996, 7785 . 7787 [RFC2047] Moore, K., "MIME (Multipurpose Internet Mail Extensions) 7788 Part Three: Message Header Extensions for Non-ASCII Text", 7789 RFC 2047, DOI 10.17487/RFC2047, November 1996, 7790 . 7792 [RFC2068] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T. 7793 Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", 7794 RFC 2068, DOI 10.17487/RFC2068, January 1997, 7795 . 7797 [RFC2145] Mogul, J., Fielding, R., Gettys, J., and H. Nielsen, "Use 7798 and Interpretation of HTTP Version Numbers", RFC 2145, 7799 DOI 10.17487/RFC2145, May 1997, 7800 . 7802 [RFC2295] Holtman, K. and A. Mutz, "Transparent Content Negotiation 7803 in HTTP", RFC 2295, DOI 10.17487/RFC2295, March 1998, 7804 . 7806 [RFC2324] Masinter, L., "Hyper Text Coffee Pot Control Protocol 7807 (HTCPCP/1.0)", RFC 2324, DOI 10.17487/RFC2324, April 1998, 7808 . 7810 [RFC2557] Palme, F., Hopmann, A., Shelness, N., and E. Stefferud, 7811 "MIME Encapsulation of Aggregate Documents, such as HTML 7812 (MHTML)", RFC 2557, DOI 10.17487/RFC2557, March 1999, 7813 . 7815 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 7816 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 7817 Transfer Protocol -- HTTP/1.1", RFC 2616, 7818 DOI 10.17487/RFC2616, June 1999, 7819 . 7821 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., 7822 Leach, P., Luotonen, A., and L. Stewart, "HTTP 7823 Authentication: Basic and Digest Access Authentication", 7824 RFC 2617, DOI 10.17487/RFC2617, June 1999, 7825 . 7827 [RFC2774] Frystyk, H., Leach, P., and S. Lawrence, "An HTTP 7828 Extension Framework", RFC 2774, DOI 10.17487/RFC2774, 7829 February 2000, . 7831 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 7832 DOI 10.17487/RFC2818, May 2000, 7833 . 7835 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 7836 Procedures", BCP 19, RFC 2978, DOI 10.17487/RFC2978, 7837 October 2000, . 7839 [RFC3040] Cooper, I., Melve, I., and G. Tomlinson, "Internet Web 7840 Replication and Caching Taxonomy", RFC 3040, 7841 DOI 10.17487/RFC3040, January 2001, 7842 . 7844 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 7845 Rose, "DNS Security Introduction and Requirements", 7846 RFC 4033, DOI 10.17487/RFC4033, March 2005, 7847 . 7849 [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based 7850 Kerberos and NTLM HTTP Authentication in Microsoft 7851 Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006, 7852 . 7854 [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed 7855 Authoring and Versioning (WebDAV)", RFC 4918, 7856 DOI 10.17487/RFC4918, June 2007, 7857 . 7859 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 7860 (TLS) Protocol Version 1.2", RFC 5246, 7861 DOI 10.17487/RFC5246, August 2008, 7862 . 7864 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, 7865 DOI 10.17487/RFC5322, October 2008, 7866 . 7868 [RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", 7869 RFC 5789, DOI 10.17487/RFC5789, March 2010, 7870 . 7872 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 7873 "Network Time Protocol Version 4: Protocol and Algorithms 7874 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 7875 . 7877 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 7878 DOI 10.17487/RFC6265, April 2011, 7879 . 7881 [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status 7882 Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, 7883 . 7885 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7886 Protocol (HTTP/1.1): Message Syntax and Routing", 7887 RFC 7230, DOI 10.17487/RFC7230, June 2014, 7888 . 7890 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7891 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 7892 DOI 10.17487/RFC7231, June 2014, 7893 . 7895 [RFC7232] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7896 Protocol (HTTP/1.1): Conditional Requests", RFC 7232, 7897 DOI 10.17487/RFC7232, June 2014, 7898 . 7900 [RFC7233] Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed., 7901 "Hypertext Transfer Protocol (HTTP): Range Requests", 7902 RFC 7233, DOI 10.17487/RFC7233, June 2014, 7903 . 7905 [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7906 Protocol (HTTP/1.1): Authentication", RFC 7235, 7907 DOI 10.17487/RFC7235, June 2014, 7908 . 7910 [RFC7538] Reschke, J., "The Hypertext Transfer Protocol Status Code 7911 308 (Permanent Redirect)", RFC 7538, DOI 10.17487/RFC7538, 7912 April 2015, . 7914 [RFC7578] Masinter, L., "Returning Values from Forms: multipart/ 7915 form-data", RFC 7578, DOI 10.17487/RFC7578, July 2015, 7916 . 7918 [RFC7615] Reschke, J., "HTTP Authentication-Info and Proxy- 7919 Authentication-Info Response Header Fields", RFC 7615, 7920 DOI 10.17487/RFC7615, September 2015, 7921 . 7923 [RFC7616] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP 7924 Digest Access Authentication", RFC 7616, 7925 DOI 10.17487/RFC7616, September 2015, 7926 . 7928 [RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme", 7929 RFC 7617, DOI 10.17487/RFC7617, September 2015, 7930 . 7932 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 7933 Writing an IANA Considerations Section in RFCs", BCP 26, 7934 RFC 8126, DOI 10.17487/RFC8126, June 2017, 7935 . 7937 [RFC8187] Reschke, J., "Indicating Character Encoding and Language 7938 for HTTP Header Field Parameters", RFC 8187, 7939 DOI 10.17487/RFC8187, September 2017, 7940 . 7942 [RFC8246] McManus, P., "HTTP Immutable Responses", RFC 8246, 7943 DOI 10.17487/RFC8246, September 2017, 7944 . 7946 [RFC8288] Nottingham, M., "Web Linking", RFC 8288, 7947 DOI 10.17487/RFC8288, October 2017, 7948 . 7950 [Sniffing] 7951 WHATWG, "MIME Sniffing", 7952 . 7954 Appendix A. Collected ABNF 7956 In the collected ABNF below, list rules are expanded as per 7957 Section 11. 7959 Accept = [ ( "," / ( media-range [ accept-params ] ) ) *( OWS "," [ 7960 OWS ( media-range [ accept-params ] ) ] ) ] 7961 Accept-Charset = *( "," OWS ) ( ( charset / "*" ) [ weight ] ) *( OWS 7962 "," [ OWS ( ( charset / "*" ) [ weight ] ) ] ) 7963 Accept-Encoding = [ ( "," / ( codings [ weight ] ) ) *( OWS "," [ OWS 7964 ( codings [ weight ] ) ] ) ] 7965 Accept-Language = *( "," OWS ) ( language-range [ weight ] ) *( OWS 7966 "," [ OWS ( language-range [ weight ] ) ] ) 7967 Accept-Ranges = acceptable-ranges 7968 Allow = [ method ] *( OWS "," OWS [ method ] ) 7969 Authentication-Info = [ auth-param ] *( OWS "," OWS [ auth-param ] ) 7970 Authorization = credentials 7972 BWS = OWS 7974 Content-Encoding = [ content-coding ] *( OWS "," OWS [ content-coding 7975 ] ) 7976 Content-Language = [ language-tag ] *( OWS "," OWS [ language-tag ] 7977 ) 7978 Content-Length = 1*DIGIT 7979 Content-Location = absolute-URI / partial-URI 7980 Content-Range = byte-content-range / other-content-range 7981 Content-Type = media-type 7983 Date = HTTP-date 7985 ETag = entity-tag 7986 Expect = "100-continue" 7988 From = mailbox 7990 GMT = %x47.4D.54 ; GMT 7992 HTTP-date = IMF-fixdate / obs-date 7993 Host = uri-host [ ":" port ] 7995 IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT 7996 If-Match = "*" / ( [ entity-tag ] *( OWS "," OWS [ entity-tag ] ) ) 7997 If-Modified-Since = HTTP-date 7998 If-None-Match = "*" / ( [ entity-tag ] *( OWS "," OWS [ entity-tag ] 7999 ) ) 8000 If-Range = entity-tag / HTTP-date 8001 If-Unmodified-Since = HTTP-date 8002 Last-Modified = HTTP-date 8003 Location = URI-reference 8005 Max-Forwards = 1*DIGIT 8007 OWS = *( SP / HTAB ) 8009 Proxy-Authenticate = [ challenge ] *( OWS "," OWS [ challenge ] ) 8010 Proxy-Authentication-Info = [ auth-param ] *( OWS "," OWS [ 8011 auth-param ] ) 8012 Proxy-Authorization = credentials 8014 RWS = 1*( SP / HTAB ) 8015 Range = byte-ranges-specifier / other-ranges-specifier 8016 Referer = absolute-URI / partial-URI 8017 Retry-After = HTTP-date / delay-seconds 8019 Server = product *( RWS ( product / comment ) ) 8021 Trailer = [ field-name ] *( OWS "," OWS [ field-name ] ) 8023 URI-reference = 8024 User-Agent = product *( RWS ( product / comment ) ) 8026 Vary = "*" / ( [ field-name ] *( OWS "," OWS [ field-name ] ) ) 8027 Via = *( "," OWS ) ( received-protocol RWS received-by [ RWS comment 8028 ] ) *( OWS "," [ OWS ( received-protocol RWS received-by [ RWS 8029 comment ] ) ] ) 8031 WWW-Authenticate = [ challenge ] *( OWS "," OWS [ challenge ] ) 8033 absolute-URI = 8034 absolute-path = 1*( "/" segment ) 8035 accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] 8036 accept-params = weight *accept-ext 8037 acceptable-ranges = ( [ range-unit ] *( OWS "," OWS [ range-unit ] ) 8038 ) / "none" 8039 asctime-date = day-name SP date3 SP time-of-day SP year 8040 auth-param = token BWS "=" BWS ( token / quoted-string ) 8041 auth-scheme = token 8042 authority = 8044 byte-content-range = bytes-unit SP ( byte-range-resp / 8045 unsatisfied-range ) 8046 byte-range = first-byte-pos "-" last-byte-pos 8047 byte-range-resp = byte-range "/" ( complete-length / "*" ) 8048 byte-range-set = *( "," OWS ) ( byte-range-spec / 8049 suffix-byte-range-spec ) *( OWS "," [ OWS ( byte-range-spec / 8050 suffix-byte-range-spec ) ] ) 8051 byte-range-spec = first-byte-pos "-" [ last-byte-pos ] 8052 byte-ranges-specifier = bytes-unit "=" byte-range-set 8053 bytes-unit = "bytes" 8055 challenge = auth-scheme [ 1*SP ( token68 / ( [ auth-param ] *( OWS 8056 "," OWS [ auth-param ] ) ) ) ] 8057 charset = token 8058 codings = content-coding / "identity" / "*" 8059 comment = "(" *( ctext / quoted-pair / comment ) ")" 8060 complete-length = 1*DIGIT 8061 content-coding = token 8062 credentials = auth-scheme [ 1*SP ( token68 / ( [ auth-param ] *( OWS 8063 "," OWS [ auth-param ] ) ) ) ] 8064 ctext = HTAB / SP / %x21-27 ; '!'-''' 8065 / %x2A-5B ; '*'-'[' 8066 / %x5D-7E ; ']'-'~' 8067 / obs-text 8069 date1 = day SP month SP year 8070 date2 = day "-" month "-" 2DIGIT 8071 date3 = month SP ( 2DIGIT / ( SP DIGIT ) ) 8072 day = 2DIGIT 8073 day-name = %x4D.6F.6E ; Mon 8074 / %x54.75.65 ; Tue 8075 / %x57.65.64 ; Wed 8076 / %x54.68.75 ; Thu 8077 / %x46.72.69 ; Fri 8078 / %x53.61.74 ; Sat 8079 / %x53.75.6E ; Sun 8080 day-name-l = %x4D.6F.6E.64.61.79 ; Monday 8081 / %x54.75.65.73.64.61.79 ; Tuesday 8082 / %x57.65.64.6E.65.73.64.61.79 ; Wednesday 8083 / %x54.68.75.72.73.64.61.79 ; Thursday 8084 / %x46.72.69.64.61.79 ; Friday 8085 / %x53.61.74.75.72.64.61.79 ; Saturday 8086 / %x53.75.6E.64.61.79 ; Sunday 8087 delay-seconds = 1*DIGIT 8089 entity-tag = [ weak ] opaque-tag 8090 etagc = "!" / %x23-7E ; '#'-'~' 8091 / obs-text 8093 field-content = field-vchar [ 1*( SP / HTAB / field-vchar ) 8094 field-vchar ] 8095 field-name = token 8096 field-value = *( field-content / obs-fold ) 8097 field-vchar = VCHAR / obs-text 8098 first-byte-pos = 1*DIGIT 8100 hour = 2DIGIT 8101 http-URI = "http://" authority path-abempty [ "?" query ] 8102 https-URI = "https://" authority path-abempty [ "?" query ] 8104 language-range = 8105 language-tag = 8106 last-byte-pos = 1*DIGIT 8108 mailbox = 8109 media-range = ( "*/*" / ( type "/*" ) / ( type "/" subtype ) ) *( OWS 8110 ";" OWS parameter ) 8111 media-type = type "/" subtype *( OWS ";" OWS parameter ) 8112 method = token 8113 minute = 2DIGIT 8114 month = %x4A.61.6E ; Jan 8115 / %x46.65.62 ; Feb 8116 / %x4D.61.72 ; Mar 8117 / %x41.70.72 ; Apr 8118 / %x4D.61.79 ; May 8119 / %x4A.75.6E ; Jun 8120 / %x4A.75.6C ; Jul 8121 / %x41.75.67 ; Aug 8122 / %x53.65.70 ; Sep 8123 / %x4F.63.74 ; Oct 8124 / %x4E.6F.76 ; Nov 8125 / %x44.65.63 ; Dec 8127 obs-date = rfc850-date / asctime-date 8128 obs-fold = 8129 obs-text = %x80-FF 8130 opaque-tag = DQUOTE *etagc DQUOTE 8131 other-content-range = other-range-unit SP other-range-resp 8132 other-range-resp = *VCHAR 8133 other-range-set = 1*VCHAR 8134 other-range-unit = token 8135 other-ranges-specifier = other-range-unit "=" other-range-set 8137 parameter = parameter-name "=" parameter-value 8138 parameter-name = token 8139 parameter-value = ( token / quoted-string ) 8140 partial-URI = relative-part [ "?" query ] 8141 path-abempty = 8142 port = 8143 product = token [ "/" product-version ] 8144 product-version = token 8145 protocol-name = 8146 protocol-version = 8147 pseudonym = token 8149 qdtext = HTAB / SP / "!" / %x23-5B ; '#'-'[' 8150 / %x5D-7E ; ']'-'~' 8151 / obs-text 8152 query = 8153 quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) 8154 quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE 8155 qvalue = ( "0" [ "." *3DIGIT ] ) / ( "1" [ "." *3"0" ] ) 8157 range-unit = bytes-unit / other-range-unit 8158 received-by = ( uri-host [ ":" port ] ) / pseudonym 8159 received-protocol = [ protocol-name "/" ] protocol-version 8160 relative-part = 8161 request-target = 8162 rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT 8164 second = 2DIGIT 8165 segment = 8166 subtype = token 8167 suffix-byte-range-spec = "-" suffix-length 8168 suffix-length = 1*DIGIT 8170 tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / 8171 "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA 8172 time-of-day = hour ":" minute ":" second 8173 token = 1*tchar 8174 token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) 8175 *"=" 8176 type = token 8178 unsatisfied-range = "*/" complete-length 8179 uri-host = 8181 weak = %x57.2F ; W/ 8182 weight = OWS ";" OWS "q=" qvalue 8184 year = 4DIGIT 8186 Appendix B. Changes from RFC 7230 8188 Most of the sections introducing HTTP's design goals, history, 8189 architecture, conformance criteria, protocol versioning, URIs, 8190 message routing, and header field values have been moved here 8191 (without substantive change). 8193 Furthermore: 8195 Add status code 308 (previously defined in [RFC7538]) so that it's 8196 defined closer to status codes 301, 302, and 307. (Section 9.4.9) 8198 Add status code 422 (previously defined in Section 11.2 of [RFC4918]) 8199 because of it's general applicability. (Section 9.5.20) 8201 Appendix C. Changes from RFC 7231 8203 None yet. 8205 Appendix D. Changes from RFC 7232 8207 None yet. 8209 Appendix E. Changes from RFC 7233 8211 None yet. 8213 Appendix F. Changes from RFC 7235 8215 None yet. 8217 Appendix G. Changes from RFC 7538 8219 None yet. 8221 Appendix H. Changes from RFC 7615 8223 None yet. 8225 Appendix I. Change Log 8227 This section is to be removed before publishing as an RFC. 8229 I.1. Between RFC723x and draft 00 8231 The changes were purely editorial: 8233 o Change boilerplate and abstract to indicate the "draft" status, 8234 and update references to ancestor specifications. 8236 o Remove version "1.1" from document title, indicating that this 8237 specification applies to all HTTP versions. 8239 o Adjust historical notes. 8241 o Update links to sibling specifications. 8243 o Replace sections listing changes from RFC 2616 by new empty 8244 sections referring to RFC 723x. 8246 o Remove acknowledgements specific to RFC 723x. 8248 o Move "Acknowledgements" to the very end and make them unnumbered. 8250 I.2. Since draft-ietf-httpbis-semantics-00 8252 The changes in this draft are editorial, with respect to HTTP as a 8253 whole, to merge core HTTP semantics into this document: 8255 o Merged introduction, architecture, conformance, and ABNF 8256 extensions from RFC 7230 (Messaging). 8258 o Rearranged architecture to extract conformance, http(s) schemes, 8259 and protocol versioning into a separate major section. 8261 o Moved discussion of MIME differences to [Messaging] since that is 8262 primarily concerned with transforming 1.1 messages. 8264 o Merged entire content of RFC 7232 (Conditional Requests). 8266 o Merged entire content of RFC 7233 (Range Requests). 8268 o Merged entire content of RFC 7235 (Auth Framework). 8270 o Moved all extensibility tips, registration procedures, and 8271 registry tables from the IANA considerations to normative 8272 sections, reducing the IANA considerations to just instructions 8273 that will be removed prior to publication as an RFC. 8275 I.3. Since draft-ietf-httpbis-semantics-01 8277 o Improve [Welch] citation () 8280 o Remove HTTP/1.1-ism about Range Requests 8281 () 8283 o Cite RFC 8126 instead of RFC 5226 () 8286 o Cite RFC 7538 instead of RFC 7238 () 8289 o Cite RFC 8288 instead of RFC 5988 () 8292 o Cite RFC 8187 instead of RFC 5987 () 8295 o Cite RFC 7578 instead of RFC 2388 () 8298 o Cite RFC 7595 instead of RFC 4395 () 8301 o improve ABNF readability for qdtext (, ) 8304 o Clarify "resource" vs "representation" in definition of status 8305 code 416 (, 8306 ) 8308 o Resolved erratum 4072, no change needed here 8309 (, 8310 ) 8312 o Clarify DELETE status code suggestions 8313 (, 8314 ) 8316 o In Section 6.3.3, fix ABNF for "other-range-resp" to use VCHAR 8317 instead of CHAR (, 8318 ) 8320 o Resolved erratum 5162, no change needed here 8321 (, 8322 ) 8324 o Replace "response code" with "response status code" and "status- 8325 code" (the ABNF production name from the HTTP/1.1 message format) 8326 by "status code" (, 8327 ) 8329 o Added a missing word in Section 9.4 (, ) 8332 o In Section 11, fixed an example that had trailing whitespace where 8333 it shouldn't (, 8334 ) 8336 o In Section 9.3.7, remove words that were potentially misleading 8337 with respect to the relation to the requested ranges 8338 (, 8339 ) 8341 I.4. Since draft-ietf-httpbis-semantics-02 8343 o Included (Proxy-)Auth-Info header field definition from RFC 7615 8344 () 8346 o In Section 7.3.3, clarify POST caching 8347 () 8349 o Add Section 9.5.19 to reserve the 418 status code 8350 () 8352 o In Section 2.1 and Section 8.1.1, clarified when a response can be 8353 sent () 8355 o In Section 6.1.1.1, explain the difference between the "token" 8356 production, the RFC 2978 ABNF for charset names, and the actual 8357 registration practice (, ) 8360 o In Section 2.5, removed the fragment component in the URI scheme 8361 definitions as per Section 4.3 of [RFC3986], furthermore moved 8362 fragment discussion into a separate section 8363 (, 8364 , ) 8367 o In Section 3.5, add language about minor HTTP version number 8368 defaulting () 8370 o Added Section 9.5.20 for status code 422, previously defined in 8371 Section 11.2 of [RFC4918] () 8374 o In Section 9.5.17, fixed prose about byte range comparison 8375 (, 8376 ) 8378 o In Section 2.1, explain that request/response correlation is 8379 version specific () 8382 I.5. Since draft-ietf-httpbis-semantics-03 8384 o In Section 9.4.9, include status code 308 from RFC 7538 8385 () 8387 o In Section 6.1.1, clarify that the charset parameter value is 8388 case-insensitive due to the definition in RFC 2046 8389 () 8391 o Define a separate registry for HTTP header field names 8392 () 8394 o In Section 8.4, refactor and clarify description of wildcard ("*") 8395 handling () 8397 o Deprecate Accept-Charset () 8400 o In Section 8.2.1, mention Cache-Control: immutable 8401 () 8403 o In Section 4.2.1, clarify when header field combination is allowed 8404 () 8406 o In Section 13.4, instruct IANA to mark Content-MD5 as obsolete 8407 () 8409 o Use RFC 7405 ABNF notation for case-sensitive string constants 8410 () 8412 o Rework Section 2.1 to be more version-independent 8413 () 8415 o In Section 7.3.5, clarify that DELETE needs to be successful to 8416 invalidate cache (, ) 8419 I.6. Since draft-ietf-httpbis-semantics-04 8421 o In Section 4.2, fix field-content ABNF 8422 (, 8423 ) 8425 o Move Section 4.2.3.4 into its own section 8426 () 8428 o In Section 6.2.1, reference MIME Sniffing 8429 () 8431 o In Section 11, simplify the #rule mapping for recipients 8432 (, 8433 ) 8435 o In Section 7.3.7, remove misleading text about "extension" of HTTP 8436 is needed to define method payloads () 8439 o Fix editorial issue in Section 6 () 8442 o In Section 9.5.20, rephrase language not to use "entity" anymore, 8443 and also avoid lowercase "may" () 8446 o Move discussion of retries from [Messaging] into Section 7.2.2 8447 () 8449 Index 8451 1 8452 100 Continue (status code) 110 8453 100-continue (expect value) 77 8454 101 Switching Protocols (status code) 110 8455 1xx Informational (status code class) 109 8457 2 8458 200 OK (status code) 110 8459 201 Created (status code) 111 8460 202 Accepted (status code) 111 8461 203 Non-Authoritative Information (status code) 112 8462 204 No Content (status code) 112 8463 205 Reset Content (status code) 113 8464 206 Partial Content (status code) 113 8465 2xx Successful (status code class) 110 8467 3 8468 300 Multiple Choices (status code) 118 8469 301 Moved Permanently (status code) 119 8470 302 Found (status code) 119 8471 303 See Other (status code) 120 8472 304 Not Modified (status code) 120 8473 305 Use Proxy (status code) 121 8474 306 (Unused) (status code) 121 8475 307 Temporary Redirect (status code) 121 8476 308 Permanent Redirect (status code) 122 8477 3xx Redirection (status code class) 116 8479 4 8480 400 Bad Request (status code) 122 8481 401 Unauthorized (status code) 122 8482 402 Payment Required (status code) 123 8483 403 Forbidden (status code) 123 8484 404 Not Found (status code) 123 8485 405 Method Not Allowed (status code) 124 8486 406 Not Acceptable (status code) 124 8487 407 Proxy Authentication Required (status code) 124 8488 408 Request Timeout (status code) 124 8489 409 Conflict (status code) 125 8490 410 Gone (status code) 125 8491 411 Length Required (status code) 125 8492 412 Precondition Failed (status code) 126 8493 413 Payload Too Large (status code) 126 8494 414 URI Too Long (status code) 126 8495 415 Unsupported Media Type (status code) 126 8496 416 Range Not Satisfiable (status code) 127 8497 417 Expectation Failed (status code) 127 8498 418 (Unused) (status code) 127 8499 422 Unprocessable Payload (status code) 128 8500 426 Upgrade Required (status code) 128 8501 4xx Client Error (status code class) 122 8503 5 8504 500 Internal Server Error (status code) 129 8505 501 Not Implemented (status code) 129 8506 502 Bad Gateway (status code) 129 8507 503 Service Unavailable (status code) 129 8508 504 Gateway Timeout (status code) 129 8509 505 HTTP Version Not Supported (status code) 129 8510 5xx Server Error (status code class) 128 8512 A 8513 Accept header field 93 8514 Accept-Charset header field 95 8515 Accept-Encoding header field 96 8516 Accept-Language header field 97 8517 Accept-Ranges header field 150 8518 Allow header field 150 8519 Authentication-Info header field 148 8520 Authorization header field 101 8521 accelerator 13 8522 authoritative response 153 8524 B 8525 browser 10 8527 C 8528 CONNECT method 72 8529 Canonical Root URI 100 8530 Content-Encoding header field 49 8531 Content-Language header field 50 8532 Content-Length header field 50 8533 Content-Location header field 52 8534 Content-MD5 header field 163 8535 Content-Range header field 55 8536 Content-Type header field 48 8537 cache 14 8538 cacheable 14, 66 8539 captive portal 13 8540 client 10 8541 compress (Coding Format) 43 8542 compress (content coding) 42 8543 conditional request 80 8544 connection 10 8545 content coding 42 8546 content negotiation 8 8548 D 8549 DELETE method 71 8550 Date header field 134 8551 Delimiters 29 8552 deflate (Coding Format) 43 8553 deflate (content coding) 42 8554 downstream 12 8556 E 8557 ETag header field 142 8558 Expect header field 77 8559 effective request URI 34 8561 F 8562 Fragment Identifiers 18 8563 From header field 104 8565 G 8566 GET method 66 8567 Grammar 8568 absolute-path 15 8569 absolute-URI 15 8570 Accept 93 8571 Accept-Charset 95 8572 Accept-Encoding 96 8573 accept-ext 93 8574 Accept-Language 97 8575 accept-params 93 8576 Accept-Ranges 150 8577 acceptable-ranges 150 8578 Allow 150 8579 ALPHA 9 8580 asctime-date 133 8581 auth-param 99 8582 auth-scheme 99 8583 Authentication-Info 148 8584 authority 15 8585 Authorization 101 8586 BWS 32 8587 byte-content-range 56 8588 byte-range 56 8589 byte-range-resp 56 8590 byte-range-set 45 8591 byte-range-spec 45 8592 byte-ranges-specifier 45 8593 bytes-unit 44-45 8594 challenge 99 8595 charset 40 8596 codings 96 8597 comment 30 8598 complete-length 56 8599 content-coding 42 8600 Content-Encoding 49 8601 Content-Language 50 8602 Content-Length 50 8603 Content-Location 52 8604 Content-Range 56 8605 Content-Type 48 8606 CR 9 8607 credentials 100 8608 CRLF 9 8609 ctext 30 8610 CTL 9 8611 Date 134 8612 date1 133 8613 day 133 8614 day-name 133 8615 day-name-l 133 8616 delay-seconds 136 8617 DIGIT 9 8618 DQUOTE 9 8619 entity-tag 143 8620 ETag 143 8621 etagc 143 8622 Expect 77 8623 field-content 28 8624 field-name 23, 32 8625 field-value 28 8626 field-vchar 28 8627 first-byte-pos 45 8628 From 104 8629 GMT 133 8630 HEXDIG 9 8631 Host 34 8632 hour 133 8633 HTAB 9 8634 HTTP-date 132 8635 http-URI 16 8636 https-URI 18 8637 If-Match 84 8638 If-Modified-Since 86 8639 If-None-Match 85 8640 If-Range 89 8641 If-Unmodified-Since 87 8642 IMF-fixdate 133 8643 language-range 97 8644 language-tag 44 8645 last-byte-pos 45 8646 Last-Modified 140 8647 LF 9 8648 Location 135 8649 Max-Forwards 79 8650 media-range 93 8651 media-type 40 8652 method 62 8653 minute 133 8654 month 133 8655 obs-date 133 8656 obs-text 30 8657 OCTET 9 8658 opaque-tag 143 8659 other-content-range 56 8660 other-range-resp 56 8661 other-range-unit 44, 47 8662 OWS 32 8663 parameter 30 8664 parameter-name 30 8665 parameter-value 30 8666 partial-URI 15 8667 port 15 8668 product 106 8669 product-version 106 8670 protocol-name 36 8671 protocol-version 36 8672 Proxy-Authenticate 148 8673 Proxy-Authentication-Info 149 8674 Proxy-Authorization 101 8675 pseudonym 36 8676 qdtext 30 8677 query 15 8678 quoted-pair 30 8679 quoted-string 30 8680 qvalue 93 8681 Range 90 8682 range-unit 44 8683 ranges-specifier 45 8684 received-by 36 8685 received-protocol 36 8686 Referer 105 8687 Retry-After 136 8688 rfc850-date 133 8689 RWS 32 8690 second 133 8691 segment 15 8692 Server 151 8693 SP 9 8694 subtype 40 8695 suffix-byte-range-spec 46 8696 suffix-length 46 8697 tchar 29 8698 time-of-day 133 8699 token 29 8700 token68 99 8701 Trailer 32 8702 type 40 8703 unsatisfied-range 56 8704 uri-host 15 8705 URI-reference 15 8706 User-Agent 106 8707 Vary 137 8708 VCHAR 9 8709 Via 36 8710 weak 143 8711 weight 93 8712 WWW-Authenticate 147 8713 year 133 8714 gateway 13 8715 gzip (Coding Format) 43 8716 gzip (content coding) 42 8718 H 8719 HEAD method 67 8720 Host header field 34 8721 http URI scheme 16 8722 https URI scheme 17 8724 I 8725 If-Match header field 84 8726 If-Modified-Since header field 86 8727 If-None-Match header field 85 8728 If-Range header field 88 8729 If-Unmodified-Since header field 87 8730 idempotent 65 8731 inbound 12 8732 interception proxy 13 8733 intermediary 12 8735 L 8736 Last-Modified header field 140 8737 Location header field 135 8739 M 8740 Max-Forwards header field 79 8741 Media Type 8742 multipart/byteranges 57 8743 multipart/x-byteranges 58 8744 message 11 8745 metadata 138 8746 multipart/byteranges Media Type 57 8747 multipart/x-byteranges Media Type 58 8749 N 8750 non-transforming proxy 38 8752 O 8753 OPTIONS method 73 8754 origin server 10 8755 outbound 12 8757 P 8758 POST method 67 8759 PUT method 68 8760 Protection Space 100 8761 Proxy-Authenticate header field 148 8762 Proxy-Authentication-Info header field 149 8763 Proxy-Authorization header field 101 8764 payload 54 8765 phishing 153 8766 proxy 12 8768 R 8769 Range header field 90 8770 Realm 100 8771 Referer header field 105 8772 Retry-After header field 136 8773 recipient 10 8774 representation 39 8775 request 11 8776 resource 15 8777 response 11 8778 reverse proxy 13 8780 S 8781 Server header field 151 8782 Status Codes Classes 8783 1xx Informational 109 8784 2xx Successful 110 8785 3xx Redirection 116 8786 4xx Client Error 122 8787 5xx Server Error 128 8788 safe 64 8789 selected representation 39, 80, 138 8790 sender 10 8791 server 10 8792 spider 10 8794 T 8795 TRACE method 74 8796 Trailer header field 32 8797 target URI 33 8798 target resource 33 8799 transforming proxy 38 8800 transparent proxy 13 8801 tunnel 13 8803 U 8804 URI scheme 8805 http 16 8806 https 17 8807 User-Agent header field 106 8808 upstream 12 8809 user agent 10 8811 V 8812 Vary header field 137 8813 Via header field 36 8814 validator 138 8815 strong 139 8816 weak 139 8818 W 8819 WWW-Authenticate header field 147 8821 X 8822 x-compress (content coding) 42 8823 x-gzip (content coding) 42 8825 Acknowledgments 8827 This edition of the HTTP specification builds on the many 8828 contributions that went into RFC 1945, RFC 2068, RFC 2145, and RFC 8829 2616, including substantial contributions made by the previous 8830 authors, editors, and Working Group Chairs: Tim Berners-Lee, Ari 8831 Luotonen, Roy T. Fielding, Henrik Frystyk Nielsen, Jim Gettys, 8832 Jeffrey C. Mogul, Larry Masinter, Paul J. Leach, and Yves Lafon. 8834 See Section 10 of [RFC7230] for further acknowledgements from prior 8835 revisions. 8837 In addition, this document has reincorporated the HTTP Authentication 8838 Framework, previously defined in RFC 7235 and RFC 2617. We thank 8839 John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott 8840 D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart 8841 for their work on that specification. See Section 6 of [RFC2617] for 8842 further acknowledgements. 8844 [[newacks: New acks to be added here.]] 8846 Authors' Addresses 8848 Roy T. Fielding (editor) 8849 Adobe 8850 345 Park Ave 8851 San Jose, CA 95110 8852 USA 8854 EMail: fielding@gbiv.com 8855 URI: https://roy.gbiv.com/ 8857 Mark Nottingham (editor) 8858 Fastly 8860 EMail: mnot@mnot.net 8861 URI: https://www.mnot.net/ 8862 Julian F. Reschke (editor) 8863 greenbytes GmbH 8864 Hafenweg 16 8865 Muenster, NW 48155 8866 Germany 8868 EMail: julian.reschke@greenbytes.de 8869 URI: https://greenbytes.de/tech/webdav/