idnits 2.17.1 draft-ietf-httpbis-semantics-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The abstract seems to indicate that this document obsoletes RFC7615, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7538, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7231, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7232, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7233, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7235, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC2818, but the header doesn't have an 'Obsoletes:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 4, 2019) is 1634 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2145' is defined on line 8049, but no explicit reference was found in the text == Unused Reference: 'RFC2818' is defined on line 8083, but no explicit reference was found in the text == Unused Reference: 'RFC7232' is defined on line 8146, but no explicit reference was found in the text == Unused Reference: 'RFC7233' is defined on line 8151, but no explicit reference was found in the text == Unused Reference: 'RFC7235' is defined on line 8156, but no explicit reference was found in the text == Unused Reference: 'RFC7615' is defined on line 8169, but no explicit reference was found in the text == Unused Reference: 'RFC7617' is defined on line 8179, but no explicit reference was found in the text == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-cache-06 -- Possible downref: Normative reference to a draft: ref. 'Caching' == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-messaging-06 -- Possible downref: Normative reference to a draft: ref. 'Messaging' ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 1950 ** Downref: Normative reference to an Informational RFC: RFC 1951 ** Downref: Normative reference to an Informational RFC: RFC 1952 -- Possible downref: Non-RFC (?) normative reference: ref. 'USASCII' -- Possible downref: Non-RFC (?) normative reference: ref. 'Welch' -- Duplicate reference: RFC2978, mentioned in 'Err5433', was also mentioned in 'Err1912'. -- Obsolete informational reference (is this intentional?): RFC 2068 (Obsoleted by RFC 2616) -- Obsolete informational reference (is this intentional?): RFC 2145 (Obsoleted by RFC 7230) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Duplicate reference: RFC2978, mentioned in 'RFC2978', was also mentioned in 'Err5433'. -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) -- Obsolete informational reference (is this intentional?): RFC 7231 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7232 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7233 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7235 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7538 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7615 (Obsoleted by RFC 9110) Summary: 4 errors (**), 0 flaws (~~), 11 warnings (==), 27 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group R. Fielding, Ed. 3 Internet-Draft Adobe 4 Obsoletes: M. Nottingham, Ed. 5 2818,7230,7231,7232,7233,7235 Fastly 6 ,7538,7615 (if approved) J. Reschke, Ed. 7 Intended status: Standards Track greenbytes 8 Expires: May 7, 2020 November 4, 2019 10 HTTP Semantics 11 draft-ietf-httpbis-semantics-06 13 Abstract 15 The Hypertext Transfer Protocol (HTTP) is a stateless application- 16 level protocol for distributed, collaborative, hypertext information 17 systems. This document defines the semantics of HTTP: its 18 architecture, terminology, the "http" and "https" Uniform Resource 19 Identifier (URI) schemes, core request methods, request header 20 fields, response status codes, response header fields, and content 21 negotiation. 23 This document obsoletes RFC 2818, RFC 7231, RFC 7232, RFC 7233, RFC 24 7235, RFC 7538, RFC 7615, and portions of RFC 7230. 26 Editorial Note 28 This note is to be removed before publishing as an RFC. 30 Discussion of this draft takes place on the HTTP working group 31 mailing list (ietf-http-wg@w3.org), which is archived at 32 . 34 Working Group information can be found at ; 35 source code and issues list for this draft can be found at 36 . 38 The changes in this draft are summarized in Appendix J.7. 40 Status of This Memo 42 This Internet-Draft is submitted in full conformance with the 43 provisions of BCP 78 and BCP 79. 45 Internet-Drafts are working documents of the Internet Engineering 46 Task Force (IETF). Note that other groups may also distribute 47 working documents as Internet-Drafts. The list of current Internet- 48 Drafts is at https://datatracker.ietf.org/drafts/current/. 50 Internet-Drafts are draft documents valid for a maximum of six months 51 and may be updated, replaced, or obsoleted by other documents at any 52 time. It is inappropriate to use Internet-Drafts as reference 53 material or to cite them other than as "work in progress." 55 This Internet-Draft will expire on May 7, 2020. 57 Copyright Notice 59 Copyright (c) 2019 IETF Trust and the persons identified as the 60 document authors. All rights reserved. 62 This document is subject to BCP 78 and the IETF Trust's Legal 63 Provisions Relating to IETF Documents 64 (https://trustee.ietf.org/license-info) in effect on the date of 65 publication of this document. Please review these documents 66 carefully, as they describe your rights and restrictions with respect 67 to this document. Code Components extracted from this document must 68 include Simplified BSD License text as described in Section 4.e of 69 the Trust Legal Provisions and are provided without warranty as 70 described in the Simplified BSD License. 72 This document may contain material from IETF Documents or IETF 73 Contributions published or made publicly available before November 74 10, 2008. The person(s) controlling the copyright in some of this 75 material may not have granted the IETF Trust the right to allow 76 modifications of such material outside the IETF Standards Process. 77 Without obtaining an adequate license from the person(s) controlling 78 the copyright in such materials, this document may not be modified 79 outside the IETF Standards Process, and derivative works of it may 80 not be created outside the IETF Standards Process, except to format 81 it for publication as an RFC or to translate it into languages other 82 than English. 84 Table of Contents 86 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 87 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 9 88 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 9 89 2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 10 90 2.1. Client/Server Messaging . . . . . . . . . . . . . . . . . 10 91 2.2. Intermediaries . . . . . . . . . . . . . . . . . . . . . 12 92 2.3. Caches . . . . . . . . . . . . . . . . . . . . . . . . . 14 93 2.4. Uniform Resource Identifiers . . . . . . . . . . . . . . 15 94 2.5. Resources . . . . . . . . . . . . . . . . . . . . . . . . 16 95 2.5.1. http URI Scheme . . . . . . . . . . . . . . . . . . . 16 96 2.5.2. https URI Scheme . . . . . . . . . . . . . . . . . . 18 97 2.5.3. Fragment Identifiers on http(s) URI References . . . 20 98 2.5.4. http and https URI Normalization and Comparison . . . 20 99 3. Conformance . . . . . . . . . . . . . . . . . . . . . . . . . 21 100 3.1. Implementation Diversity . . . . . . . . . . . . . . . . 21 101 3.2. Role-based Requirements . . . . . . . . . . . . . . . . . 21 102 3.3. Parsing Elements . . . . . . . . . . . . . . . . . . . . 22 103 3.4. Error Handling . . . . . . . . . . . . . . . . . . . . . 23 104 3.5. Protocol Versioning . . . . . . . . . . . . . . . . . . . 23 105 4. Header Fields . . . . . . . . . . . . . . . . . . . . . . . . 24 106 4.1. Header Field Names . . . . . . . . . . . . . . . . . . . 24 107 4.1.1. Header Field Name Registry . . . . . . . . . . . . . 27 108 4.1.2. Header Field Extensibility . . . . . . . . . . . . . 28 109 4.2. Header Field Values . . . . . . . . . . . . . . . . . . . 28 110 4.2.1. Header Field Order . . . . . . . . . . . . . . . . . 29 111 4.2.2. Header Field Limits . . . . . . . . . . . . . . . . . 30 112 4.2.3. Header Field Value Components . . . . . . . . . . . . 30 113 4.3. Trailer Fields . . . . . . . . . . . . . . . . . . . . . 32 114 4.3.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . 32 115 4.3.2. Limitations . . . . . . . . . . . . . . . . . . . . . 32 116 4.3.3. Trailer . . . . . . . . . . . . . . . . . . . . . . . 33 117 4.4. Considerations for New Header Fields . . . . . . . . . . 33 118 5. Message Routing . . . . . . . . . . . . . . . . . . . . . . . 35 119 5.1. Identifying a Target Resource . . . . . . . . . . . . . . 35 120 5.2. Routing Inbound . . . . . . . . . . . . . . . . . . . . . 36 121 5.3. Effective Request URI . . . . . . . . . . . . . . . . . . 36 122 5.4. Host . . . . . . . . . . . . . . . . . . . . . . . . . . 37 123 5.5. Message Forwarding . . . . . . . . . . . . . . . . . . . 38 124 5.5.1. Via . . . . . . . . . . . . . . . . . . . . . . . . . 39 125 5.5.2. Transformations . . . . . . . . . . . . . . . . . . . 40 126 6. Representations . . . . . . . . . . . . . . . . . . . . . . . 41 127 6.1. Representation Data . . . . . . . . . . . . . . . . . . . 42 128 6.1.1. Media Type . . . . . . . . . . . . . . . . . . . . . 42 129 6.1.2. Content Codings . . . . . . . . . . . . . . . . . . . 44 130 6.1.3. Language Tags . . . . . . . . . . . . . . . . . . . . 46 131 6.1.4. Range Units . . . . . . . . . . . . . . . . . . . . . 47 132 6.2. Representation Metadata . . . . . . . . . . . . . . . . . 51 133 6.2.1. Content-Type . . . . . . . . . . . . . . . . . . . . 51 134 6.2.2. Content-Encoding . . . . . . . . . . . . . . . . . . 52 135 6.2.3. Content-Language . . . . . . . . . . . . . . . . . . 53 136 6.2.4. Content-Length . . . . . . . . . . . . . . . . . . . 54 137 6.2.5. Content-Location . . . . . . . . . . . . . . . . . . 55 138 6.3. Payload . . . . . . . . . . . . . . . . . . . . . . . . . 57 139 6.3.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . 57 140 6.3.2. Identification . . . . . . . . . . . . . . . . . . . 58 141 6.3.3. Payload Body . . . . . . . . . . . . . . . . . . . . 59 142 6.3.4. Content-Range . . . . . . . . . . . . . . . . . . . . 59 143 6.3.5. Media Type multipart/byteranges . . . . . . . . . . . 61 144 6.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 63 145 6.4.1. Proactive Negotiation . . . . . . . . . . . . . . . . 64 146 6.4.2. Reactive Negotiation . . . . . . . . . . . . . . . . 65 147 7. Request Methods . . . . . . . . . . . . . . . . . . . . . . . 66 148 7.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 66 149 7.2. Common Method Properties . . . . . . . . . . . . . . . . 67 150 7.2.1. Safe Methods . . . . . . . . . . . . . . . . . . . . 68 151 7.2.2. Idempotent Methods . . . . . . . . . . . . . . . . . 69 152 7.2.3. Methods and Caching . . . . . . . . . . . . . . . . . 70 153 7.3. Method Definitions . . . . . . . . . . . . . . . . . . . 70 154 7.3.1. GET . . . . . . . . . . . . . . . . . . . . . . . . . 70 155 7.3.2. HEAD . . . . . . . . . . . . . . . . . . . . . . . . 71 156 7.3.3. POST . . . . . . . . . . . . . . . . . . . . . . . . 72 157 7.3.4. PUT . . . . . . . . . . . . . . . . . . . . . . . . . 73 158 7.3.5. DELETE . . . . . . . . . . . . . . . . . . . . . . . 75 159 7.3.6. CONNECT . . . . . . . . . . . . . . . . . . . . . . . 76 160 7.3.7. OPTIONS . . . . . . . . . . . . . . . . . . . . . . . 78 161 7.3.8. TRACE . . . . . . . . . . . . . . . . . . . . . . . . 79 162 7.4. Method Extensibility . . . . . . . . . . . . . . . . . . 79 163 7.4.1. Method Registry . . . . . . . . . . . . . . . . . . . 79 164 7.4.2. Considerations for New Methods . . . . . . . . . . . 80 165 8. Request Header Fields . . . . . . . . . . . . . . . . . . . . 80 166 8.1. Controls . . . . . . . . . . . . . . . . . . . . . . . . 81 167 8.1.1. Expect . . . . . . . . . . . . . . . . . . . . . . . 81 168 8.1.2. Max-Forwards . . . . . . . . . . . . . . . . . . . . 83 169 8.2. Preconditions . . . . . . . . . . . . . . . . . . . . . . 84 170 8.2.1. Evaluation . . . . . . . . . . . . . . . . . . . . . 85 171 8.2.2. Precedence . . . . . . . . . . . . . . . . . . . . . 86 172 8.2.3. If-Match . . . . . . . . . . . . . . . . . . . . . . 88 173 8.2.4. If-None-Match . . . . . . . . . . . . . . . . . . . . 89 174 8.2.5. If-Modified-Since . . . . . . . . . . . . . . . . . . 90 175 8.2.6. If-Unmodified-Since . . . . . . . . . . . . . . . . . 91 176 8.2.7. If-Range . . . . . . . . . . . . . . . . . . . . . . 93 177 8.3. Range . . . . . . . . . . . . . . . . . . . . . . . . . . 94 178 8.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 95 179 8.4.1. Quality Values . . . . . . . . . . . . . . . . . . . 96 180 8.4.2. Accept . . . . . . . . . . . . . . . . . . . . . . . 97 181 8.4.3. Accept-Charset . . . . . . . . . . . . . . . . . . . 99 182 8.4.4. Accept-Encoding . . . . . . . . . . . . . . . . . . . 100 183 8.4.5. Accept-Language . . . . . . . . . . . . . . . . . . . 101 184 8.5. Authentication Credentials . . . . . . . . . . . . . . . 102 185 8.5.1. Challenge and Response . . . . . . . . . . . . . . . 102 186 8.5.2. Protection Space (Realm) . . . . . . . . . . . . . . 104 187 8.5.3. Authorization . . . . . . . . . . . . . . . . . . . . 105 188 8.5.4. Proxy-Authorization . . . . . . . . . . . . . . . . . 105 189 8.5.5. Authentication Scheme Extensibility . . . . . . . . . 106 190 8.6. Request Context . . . . . . . . . . . . . . . . . . . . . 108 191 8.6.1. From . . . . . . . . . . . . . . . . . . . . . . . . 108 192 8.6.2. Referer . . . . . . . . . . . . . . . . . . . . . . . 109 193 8.6.3. User-Agent . . . . . . . . . . . . . . . . . . . . . 110 195 9. Response Status Codes . . . . . . . . . . . . . . . . . . . . 111 196 9.1. Overview of Status Codes . . . . . . . . . . . . . . . . 112 197 9.2. Informational 1xx . . . . . . . . . . . . . . . . . . . . 113 198 9.2.1. 100 Continue . . . . . . . . . . . . . . . . . . . . 114 199 9.2.2. 101 Switching Protocols . . . . . . . . . . . . . . . 114 200 9.3. Successful 2xx . . . . . . . . . . . . . . . . . . . . . 114 201 9.3.1. 200 OK . . . . . . . . . . . . . . . . . . . . . . . 114 202 9.3.2. 201 Created . . . . . . . . . . . . . . . . . . . . . 115 203 9.3.3. 202 Accepted . . . . . . . . . . . . . . . . . . . . 115 204 9.3.4. 203 Non-Authoritative Information . . . . . . . . . . 116 205 9.3.5. 204 No Content . . . . . . . . . . . . . . . . . . . 116 206 9.3.6. 205 Reset Content . . . . . . . . . . . . . . . . . . 117 207 9.3.7. 206 Partial Content . . . . . . . . . . . . . . . . . 117 208 9.4. Redirection 3xx . . . . . . . . . . . . . . . . . . . . . 120 209 9.4.1. 300 Multiple Choices . . . . . . . . . . . . . . . . 122 210 9.4.2. 301 Moved Permanently . . . . . . . . . . . . . . . . 123 211 9.4.3. 302 Found . . . . . . . . . . . . . . . . . . . . . . 123 212 9.4.4. 303 See Other . . . . . . . . . . . . . . . . . . . . 124 213 9.4.5. 304 Not Modified . . . . . . . . . . . . . . . . . . 124 214 9.4.6. 305 Use Proxy . . . . . . . . . . . . . . . . . . . . 125 215 9.4.7. 306 (Unused) . . . . . . . . . . . . . . . . . . . . 125 216 9.4.8. 307 Temporary Redirect . . . . . . . . . . . . . . . 125 217 9.4.9. 308 Permanent Redirect . . . . . . . . . . . . . . . 126 218 9.5. Client Error 4xx . . . . . . . . . . . . . . . . . . . . 126 219 9.5.1. 400 Bad Request . . . . . . . . . . . . . . . . . . . 126 220 9.5.2. 401 Unauthorized . . . . . . . . . . . . . . . . . . 126 221 9.5.3. 402 Payment Required . . . . . . . . . . . . . . . . 127 222 9.5.4. 403 Forbidden . . . . . . . . . . . . . . . . . . . . 127 223 9.5.5. 404 Not Found . . . . . . . . . . . . . . . . . . . . 127 224 9.5.6. 405 Method Not Allowed . . . . . . . . . . . . . . . 128 225 9.5.7. 406 Not Acceptable . . . . . . . . . . . . . . . . . 128 226 9.5.8. 407 Proxy Authentication Required . . . . . . . . . . 128 227 9.5.9. 408 Request Timeout . . . . . . . . . . . . . . . . . 128 228 9.5.10. 409 Conflict . . . . . . . . . . . . . . . . . . . . 129 229 9.5.11. 410 Gone . . . . . . . . . . . . . . . . . . . . . . 129 230 9.5.12. 411 Length Required . . . . . . . . . . . . . . . . . 129 231 9.5.13. 412 Precondition Failed . . . . . . . . . . . . . . . 130 232 9.5.14. 413 Payload Too Large . . . . . . . . . . . . . . . . 130 233 9.5.15. 414 URI Too Long . . . . . . . . . . . . . . . . . . 130 234 9.5.16. 415 Unsupported Media Type . . . . . . . . . . . . . 130 235 9.5.17. 416 Range Not Satisfiable . . . . . . . . . . . . . . 131 236 9.5.18. 417 Expectation Failed . . . . . . . . . . . . . . . 131 237 9.5.19. 418 (Unused) . . . . . . . . . . . . . . . . . . . . 131 238 9.5.20. 422 Unprocessable Payload . . . . . . . . . . . . . . 132 239 9.5.21. 426 Upgrade Required . . . . . . . . . . . . . . . . 132 240 9.6. Server Error 5xx . . . . . . . . . . . . . . . . . . . . 132 241 9.6.1. 500 Internal Server Error . . . . . . . . . . . . . . 133 242 9.6.2. 501 Not Implemented . . . . . . . . . . . . . . . . . 133 243 9.6.3. 502 Bad Gateway . . . . . . . . . . . . . . . . . . . 133 244 9.6.4. 503 Service Unavailable . . . . . . . . . . . . . . . 133 245 9.6.5. 504 Gateway Timeout . . . . . . . . . . . . . . . . . 133 246 9.6.6. 505 HTTP Version Not Supported . . . . . . . . . . . 133 247 9.7. Status Code Extensibility . . . . . . . . . . . . . . . . 134 248 9.7.1. Status Code Registry . . . . . . . . . . . . . . . . 134 249 9.7.2. Considerations for New Status Codes . . . . . . . . . 134 250 10. Response Header Fields . . . . . . . . . . . . . . . . . . . 135 251 10.1. Control Data . . . . . . . . . . . . . . . . . . . . . . 135 252 10.1.1. Origination Date . . . . . . . . . . . . . . . . . . 136 253 10.1.2. Location . . . . . . . . . . . . . . . . . . . . . . 139 254 10.1.3. Retry-After . . . . . . . . . . . . . . . . . . . . 140 255 10.1.4. Vary . . . . . . . . . . . . . . . . . . . . . . . . 141 256 10.2. Validators . . . . . . . . . . . . . . . . . . . . . . . 142 257 10.2.1. Weak versus Strong . . . . . . . . . . . . . . . . . 143 258 10.2.2. Last-Modified . . . . . . . . . . . . . . . . . . . 144 259 10.2.3. ETag . . . . . . . . . . . . . . . . . . . . . . . . 146 260 10.2.4. When to Use Entity-Tags and Last-Modified Dates . . 150 261 10.3. Authentication Challenges . . . . . . . . . . . . . . . 150 262 10.3.1. WWW-Authenticate . . . . . . . . . . . . . . . . . . 151 263 10.3.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . 152 264 10.3.3. Authentication-Info . . . . . . . . . . . . . . . . 152 265 10.3.4. Proxy-Authentication-Info . . . . . . . . . . . . . 153 266 10.4. Response Context . . . . . . . . . . . . . . . . . . . . 154 267 10.4.1. Accept-Ranges . . . . . . . . . . . . . . . . . . . 154 268 10.4.2. Allow . . . . . . . . . . . . . . . . . . . . . . . 154 269 10.4.3. Server . . . . . . . . . . . . . . . . . . . . . . . 155 270 11. Generic Syntax . . . . . . . . . . . . . . . . . . . . . . . 156 271 11.1. Whitespace . . . . . . . . . . . . . . . . . . . . . . . 156 272 12. ABNF List Extension: #rule . . . . . . . . . . . . . . . . . 156 273 12.1. Sender Requirements . . . . . . . . . . . . . . . . . . 156 274 12.2. Recipient Requirements . . . . . . . . . . . . . . . . . 157 275 13. Security Considerations . . . . . . . . . . . . . . . . . . . 158 276 13.1. Establishing Authority . . . . . . . . . . . . . . . . . 158 277 13.2. Risks of Intermediaries . . . . . . . . . . . . . . . . 159 278 13.3. Attacks Based on File and Path Names . . . . . . . . . . 160 279 13.4. Attacks Based on Command, Code, or Query Injection . . . 160 280 13.5. Attacks via Protocol Element Length . . . . . . . . . . 161 281 13.6. Disclosure of Personal Information . . . . . . . . . . . 161 282 13.7. Privacy of Server Log Information . . . . . . . . . . . 161 283 13.8. Disclosure of Sensitive Information in URIs . . . . . . 162 284 13.9. Disclosure of Fragment after Redirects . . . . . . . . . 162 285 13.10. Disclosure of Product Information . . . . . . . . . . . 163 286 13.11. Browser Fingerprinting . . . . . . . . . . . . . . . . . 163 287 13.12. Validator Retention . . . . . . . . . . . . . . . . . . 164 288 13.13. Denial-of-Service Attacks Using Range . . . . . . . . . 165 289 13.14. Authentication Considerations . . . . . . . . . . . . . 165 290 13.14.1. Confidentiality of Credentials . . . . . . . . . . 165 291 13.14.2. Credentials and Idle Clients . . . . . . . . . . . 166 292 13.14.3. Protection Spaces . . . . . . . . . . . . . . . . . 166 293 13.14.4. Additional Response Header Fields . . . . . . . . . 167 294 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 167 295 14.1. URI Scheme Registration . . . . . . . . . . . . . . . . 167 296 14.2. Method Registration . . . . . . . . . . . . . . . . . . 167 297 14.3. Status Code Registration . . . . . . . . . . . . . . . . 167 298 14.4. Header Field Registration . . . . . . . . . . . . . . . 168 299 14.5. Authentication Scheme Registration . . . . . . . . . . . 168 300 14.6. Content Coding Registration . . . . . . . . . . . . . . 168 301 14.7. Range Unit Registration . . . . . . . . . . . . . . . . 169 302 14.8. Media Type Registration . . . . . . . . . . . . . . . . 169 303 14.9. Port Registration . . . . . . . . . . . . . . . . . . . 169 304 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 169 305 15.1. Normative References . . . . . . . . . . . . . . . . . . 169 306 15.2. Informative References . . . . . . . . . . . . . . . . . 171 307 Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 177 308 Appendix B. Changes from RFC 7230 . . . . . . . . . . . . . . . 181 309 Appendix C. Changes from RFC 2818 . . . . . . . . . . . . . . . 182 310 Appendix D. Changes from RFC 7231 . . . . . . . . . . . . . . . 182 311 Appendix E. Changes from RFC 7232 . . . . . . . . . . . . . . . 182 312 Appendix F. Changes from RFC 7233 . . . . . . . . . . . . . . . 182 313 Appendix G. Changes from RFC 7235 . . . . . . . . . . . . . . . 182 314 Appendix H. Changes from RFC 7538 . . . . . . . . . . . . . . . 183 315 Appendix I. Changes from RFC 7615 . . . . . . . . . . . . . . . 183 316 Appendix J. Change Log . . . . . . . . . . . . . . . . . . . . . 183 317 J.1. Between RFC723x and draft 00 . . . . . . . . . . . . . . 183 318 J.2. Since draft-ietf-httpbis-semantics-00 . . . . . . . . . . 183 319 J.3. Since draft-ietf-httpbis-semantics-01 . . . . . . . . . . 184 320 J.4. Since draft-ietf-httpbis-semantics-02 . . . . . . . . . . 185 321 J.5. Since draft-ietf-httpbis-semantics-03 . . . . . . . . . . 186 322 J.6. Since draft-ietf-httpbis-semantics-04 . . . . . . . . . . 187 323 J.7. Since draft-ietf-httpbis-semantics-05 . . . . . . . . . . 187 324 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 325 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 196 326 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 197 328 1. Introduction 330 The Hypertext Transfer Protocol (HTTP) is a stateless application- 331 level request/response protocol that uses extensible semantics and 332 self-descriptive messages for flexible interaction with network-based 333 hypertext information systems. HTTP is defined by a series of 334 documents that collectively form the HTTP/1.1 specification: 336 o "HTTP Semantics" (this document) 338 o "HTTP Caching" [Caching] 339 o "HTTP/1.1 Messaging" [Messaging] 341 HTTP is a generic interface protocol for information systems. It is 342 designed to hide the details of how a service is implemented by 343 presenting a uniform interface to clients that is independent of the 344 types of resources provided. Likewise, servers do not need to be 345 aware of each client's purpose: an HTTP request can be considered in 346 isolation rather than being associated with a specific type of client 347 or a predetermined sequence of application steps. The result is a 348 protocol that can be used effectively in many different contexts and 349 for which implementations can evolve independently over time. 351 HTTP is also designed for use as an intermediation protocol for 352 translating communication to and from non-HTTP information systems. 353 HTTP proxies and gateways can provide access to alternative 354 information services by translating their diverse protocols into a 355 hypertext format that can be viewed and manipulated by clients in the 356 same way as HTTP services. 358 One consequence of this flexibility is that the protocol cannot be 359 defined in terms of what occurs behind the interface. Instead, we 360 are limited to defining the syntax of communication, the intent of 361 received communication, and the expected behavior of recipients. If 362 the communication is considered in isolation, then successful actions 363 ought to be reflected in corresponding changes to the observable 364 interface provided by servers. However, since multiple clients might 365 act in parallel and perhaps at cross-purposes, we cannot require that 366 such changes be observable beyond the scope of a single response. 368 Each HTTP message is either a request or a response. A server 369 listens on a connection for a request, parses each message received, 370 interprets the message semantics in relation to the identified 371 request target, and responds to that request with one or more 372 response messages. A client constructs request messages to 373 communicate specific intentions, examines received responses to see 374 if the intentions were carried out, and determines how to interpret 375 the results. 377 HTTP provides a uniform interface for interacting with a resource 378 (Section 2.5), regardless of its type, nature, or implementation, via 379 the manipulation and transfer of representations (Section 6). 381 This document defines semantics that are common to all versions of 382 HTTP. HTTP semantics include the intentions defined by each request 383 method (Section 7), extensions to those semantics that might be 384 described in request header fields (Section 8), the meaning of status 385 codes to indicate a machine-readable response (Section 9), and the 386 meaning of other control data and resource metadata that might be 387 given in response header fields (Section 10). 389 This document also defines representation metadata that describe how 390 a payload is intended to be interpreted by a recipient, the request 391 header fields that might influence content selection, and the various 392 selection algorithms that are collectively referred to as "content 393 negotiation" (Section 6.4). 395 This document defines HTTP range requests, partial responses, and the 396 multipart/byteranges media type. 398 This document obsoletes the portions of RFC 7230 that are independent 399 of the HTTP/1.1 messaging syntax and connection management, with the 400 changes being summarized in Appendix B. The other parts of RFC 7230 401 are obsoleted by "HTTP/1.1 Messaging" [Messaging]. This document 402 also obsoletes RFC 2818 (see Appendix C), RFC 7231 (see Appendix D), 403 RFC 7232 (see Appendix E), RFC 7233 (see Appendix F), RFC 7235 (see 404 Appendix G), RFC 7538 (see Appendix H), and RFC 7615 (see 405 Appendix I). 407 1.1. Requirements Notation 409 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 410 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 411 document are to be interpreted as described in [RFC2119]. 413 Conformance criteria and considerations regarding error handling are 414 defined in Section 3. 416 1.2. Syntax Notation 418 This specification uses the Augmented Backus-Naur Form (ABNF) 419 notation of [RFC5234], extended with the notation for case- 420 sensitivity in strings defined in [RFC7405]. 422 It also uses a list extension, defined in Section 12, that allows for 423 compact definition of comma-separated lists using a '#' operator 424 (similar to how the '*' operator indicates repetition). Appendix A 425 shows the collected grammar with all list operators expanded to 426 standard ABNF notation. 428 As a convention, ABNF rule names prefixed with "obs-" denote 429 "obsolete" grammar rules that appear for historical reasons. 431 The following core rules are included by reference, as defined in 432 Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return), 433 CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double 434 quote), HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF 435 (line feed), OCTET (any 8-bit sequence of data), SP (space), and 436 VCHAR (any visible US-ASCII character). 438 Section 4.2.3 defines some generic syntactic components for header 439 field values. 441 The rules below are defined in [Messaging]: 443 obs-fold = 444 protocol-name = 445 protocol-version = 446 request-target = 448 This specification uses the terms "character", "character encoding 449 scheme", "charset", and "protocol element" as they are defined in 450 [RFC6365]. 452 2. Architecture 454 HTTP was created for the World Wide Web (WWW) architecture and has 455 evolved over time to support the scalability needs of a worldwide 456 hypertext system. Much of that architecture is reflected in the 457 terminology and syntax productions used to define HTTP. 459 2.1. Client/Server Messaging 461 HTTP is a stateless request/response protocol that operates by 462 exchanging messages (Section 2 of [Messaging]) across a reliable 463 transport- or session-layer "connection" (Section 9 of [Messaging]). 464 An HTTP "client" is a program that establishes a connection to a 465 server for the purpose of sending one or more HTTP requests. An HTTP 466 "server" is a program that accepts connections in order to service 467 HTTP requests by sending HTTP responses. 469 The terms "client" and "server" refer only to the roles that these 470 programs perform for a particular connection. The same program might 471 act as a client on some connections and a server on others. The term 472 "user agent" refers to any of the various client programs that 473 initiate a request, including (but not limited to) browsers, spiders 474 (web-based robots), command-line tools, custom applications, and 475 mobile apps. The term "origin server" refers to the program that can 476 originate authoritative responses for a given target resource. The 477 terms "sender" and "recipient" refer to any implementation that sends 478 or receives a given message, respectively. 480 HTTP relies upon the Uniform Resource Identifier (URI) standard 481 [RFC3986] to indicate the target resource (Section 5.1) and 482 relationships between resources. 484 Most HTTP communication consists of a retrieval request (GET) for a 485 representation of some resource identified by a URI. In the simplest 486 case, this might be accomplished via a single bidirectional 487 connection (===) between the user agent (UA) and the origin server 488 (O). 490 request > 491 UA ======================================= O 492 < response 494 Each major version of HTTP defines its own syntax for the inclusion 495 of information in messages. Nevertheless, a common abstraction is 496 that a message includes some form of envelope/framing, a potential 497 set of named header fields up front (a header section), a potential 498 body, and a potential set of named trailer fields. 500 A client sends an HTTP request to a server in the form of a request 501 message, beginning with a method (Section 7) and URI, followed by 502 header fields containing request modifiers, client information, and 503 representation metadata (Section 4), and finally a payload body (if 504 any, Section 6.3.3). 506 A server responds to a client's request by sending one or more HTTP 507 response messages, each beginning with a success or error code 508 (Section 9), possibly followed by header fields containing server 509 information, resource metadata, and representation metadata 510 (Section 4), and finally a payload body (if any, Section 6.3.3). 512 A connection might be used for multiple request/response exchanges. 513 The mechanism used to correlate between request and response messages 514 is version dependent; some versions of HTTP use implicit ordering of 515 messages, while others use an explicit identifier. 517 Responses (both final and non-final) can be sent at any time after a 518 request is received, even if it is not yet complete. However, 519 clients (including intermediaries) might abandon a request if the 520 response is not forthcoming within a reasonable period of time. 522 The following example illustrates a typical message exchange for a 523 GET request (Section 7.3.1) on the URI "http://www.example.com/ 524 hello.txt": 526 Client request: 528 GET /hello.txt HTTP/1.1 529 User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3 530 Host: www.example.com 531 Accept-Language: en, mi 533 Server response: 535 HTTP/1.1 200 OK 536 Date: Mon, 27 Jul 2009 12:28:53 GMT 537 Server: Apache 538 Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT 539 ETag: "34aa387-d-1568eb00" 540 Accept-Ranges: bytes 541 Content-Length: 51 542 Vary: Accept-Encoding 543 Content-Type: text/plain 545 Hello World! My payload includes a trailing CRLF. 547 2.2. Intermediaries 549 HTTP enables the use of intermediaries to satisfy requests through a 550 chain of connections. There are three common forms of HTTP 551 intermediary: proxy, gateway, and tunnel. In some cases, a single 552 intermediary might act as an origin server, proxy, gateway, or 553 tunnel, switching behavior based on the nature of each request. 555 > > > > 556 UA =========== A =========== B =========== C =========== O 557 < < < < 559 The figure above shows three intermediaries (A, B, and C) between the 560 user agent and origin server. A request or response message that 561 travels the whole chain will pass through four separate connections. 562 Some HTTP communication options might apply only to the connection 563 with the nearest, non-tunnel neighbor, only to the endpoints of the 564 chain, or to all connections along the chain. Although the diagram 565 is linear, each participant might be engaged in multiple, 566 simultaneous communications. For example, B might be receiving 567 requests from many clients other than A, and/or forwarding requests 568 to servers other than C, at the same time that it is handling A's 569 request. Likewise, later requests might be sent through a different 570 path of connections, often based on dynamic configuration for load 571 balancing. 573 The terms "upstream" and "downstream" are used to describe 574 directional requirements in relation to the message flow: all 575 messages flow from upstream to downstream. The terms "inbound" and 576 "outbound" are used to describe directional requirements in relation 577 to the request route: "inbound" means toward the origin server and 578 "outbound" means toward the user agent. 580 A "proxy" is a message-forwarding agent that is selected by the 581 client, usually via local configuration rules, to receive requests 582 for some type(s) of absolute URI and attempt to satisfy those 583 requests via translation through the HTTP interface. Some 584 translations are minimal, such as for proxy requests for "http" URIs, 585 whereas other requests might require translation to and from entirely 586 different application-level protocols. Proxies are often used to 587 group an organization's HTTP requests through a common intermediary 588 for the sake of security, annotation services, or shared caching. 589 Some proxies are designed to apply transformations to selected 590 messages or payloads while they are being forwarded, as described in 591 Section 5.5.2. 593 A "gateway" (a.k.a. "reverse proxy") is an intermediary that acts as 594 an origin server for the outbound connection but translates received 595 requests and forwards them inbound to another server or servers. 596 Gateways are often used to encapsulate legacy or untrusted 597 information services, to improve server performance through 598 "accelerator" caching, and to enable partitioning or load balancing 599 of HTTP services across multiple machines. 601 All HTTP requirements applicable to an origin server also apply to 602 the outbound communication of a gateway. A gateway communicates with 603 inbound servers using any protocol that it desires, including private 604 extensions to HTTP that are outside the scope of this specification. 605 However, an HTTP-to-HTTP gateway that wishes to interoperate with 606 third-party HTTP servers ought to conform to user agent requirements 607 on the gateway's inbound connection. 609 A "tunnel" acts as a blind relay between two connections without 610 changing the messages. Once active, a tunnel is not considered a 611 party to the HTTP communication, though the tunnel might have been 612 initiated by an HTTP request. A tunnel ceases to exist when both 613 ends of the relayed connection are closed. Tunnels are used to 614 extend a virtual connection through an intermediary, such as when 615 Transport Layer Security (TLS, [RFC8446]) is used to establish 616 confidential communication through a shared firewall proxy. 618 The above categories for intermediary only consider those acting as 619 participants in the HTTP communication. There are also 620 intermediaries that can act on lower layers of the network protocol 621 stack, filtering or redirecting HTTP traffic without the knowledge or 622 permission of message senders. Network intermediaries are 623 indistinguishable (at a protocol level) from a man-in-the-middle 624 attack, often introducing security flaws or interoperability problems 625 due to mistakenly violating HTTP semantics. 627 For example, an "interception proxy" [RFC3040] (also commonly known 628 as a "transparent proxy" [RFC1919] or "captive portal") differs from 629 an HTTP proxy because it is not selected by the client. Instead, an 630 interception proxy filters or redirects outgoing TCP port 80 packets 631 (and occasionally other common port traffic). Interception proxies 632 are commonly found on public network access points, as a means of 633 enforcing account subscription prior to allowing use of non-local 634 Internet services, and within corporate firewalls to enforce network 635 usage policies. 637 HTTP is defined as a stateless protocol, meaning that each request 638 message can be understood in isolation. Many implementations depend 639 on HTTP's stateless design in order to reuse proxied connections or 640 dynamically load balance requests across multiple servers. Hence, a 641 server MUST NOT assume that two requests on the same connection are 642 from the same user agent unless the connection is secured and 643 specific to that agent. Some non-standard HTTP extensions (e.g., 644 [RFC4559]) have been known to violate this requirement, resulting in 645 security and interoperability problems. 647 2.3. Caches 649 A "cache" is a local store of previous response messages and the 650 subsystem that controls its message storage, retrieval, and deletion. 651 A cache stores cacheable responses in order to reduce the response 652 time and network bandwidth consumption on future, equivalent 653 requests. Any client or server MAY employ a cache, though a cache 654 cannot be used by a server while it is acting as a tunnel. 656 The effect of a cache is that the request/response chain is shortened 657 if one of the participants along the chain has a cached response 658 applicable to that request. The following illustrates the resulting 659 chain if B has a cached copy of an earlier response from O (via C) 660 for a request that has not been cached by UA or A. 662 > > 663 UA =========== A =========== B - - - - - - C - - - - - - O 664 < < 666 A response is "cacheable" if a cache is allowed to store a copy of 667 the response message for use in answering subsequent requests. Even 668 when a response is cacheable, there might be additional constraints 669 placed by the client or by the origin server on when that cached 670 response can be used for a particular request. HTTP requirements for 671 cache behavior and cacheable responses are defined in Section 2 of 672 [Caching]. 674 There is a wide variety of architectures and configurations of caches 675 deployed across the World Wide Web and inside large organizations. 676 These include national hierarchies of proxy caches to save 677 transoceanic bandwidth, collaborative systems that broadcast or 678 multicast cache entries, archives of pre-fetched cache entries for 679 use in off-line or high-latency environments, and so on. 681 2.4. Uniform Resource Identifiers 683 Uniform Resource Identifiers (URIs) [RFC3986] are used throughout 684 HTTP as the means for identifying resources (Section 2.5). URI 685 references are used to target requests, indicate redirects, and 686 define relationships. 688 The definitions of "URI-reference", "absolute-URI", "relative-part", 689 "authority", "port", "host", "path-abempty", "segment", and "query" 690 are adopted from the URI generic syntax. An "absolute-path" rule is 691 defined for protocol elements that can contain a non-empty path 692 component. (This rule differs slightly from the path-abempty rule of 693 RFC 3986, which allows for an empty path to be used in references, 694 and path-absolute rule, which does not allow paths that begin with 695 "//".) A "partial-URI" rule is defined for protocol elements that 696 can contain a relative URI but not a fragment component. 698 URI-reference = 699 absolute-URI = 700 relative-part = 701 authority = 702 uri-host = 703 port = 704 path-abempty = 705 segment = 706 query = 708 absolute-path = 1*( "/" segment ) 709 partial-URI = relative-part [ "?" query ] 711 Each protocol element in HTTP that allows a URI reference will 712 indicate in its ABNF production whether the element allows any form 713 of reference (URI-reference), only a URI in absolute form (absolute- 714 URI), only the path and optional query components, or some 715 combination of the above. Unless otherwise indicated, URI references 716 are parsed relative to the effective request URI (Section 5.3). 718 It is RECOMMENDED that all senders and recipients support, at a 719 minimum, URIs with lengths of 8000 octets in protocol elements. Note 720 that this implies some structures and on-wire representations (for 721 example, the request line in HTTP/1.1) will necessarily be larger in 722 some cases. 724 2.5. Resources 726 The target of an HTTP request is called a "resource". HTTP does not 727 limit the nature of a resource; it merely defines an interface that 728 might be used to interact with resources. Each resource is 729 identified by a Uniform Resource Identifier (URI), as described in 730 Section 2.4. 732 One design goal of HTTP is to separate resource identification from 733 request semantics, which is made possible by vesting the request 734 semantics in the request method (Section 7) and a few request- 735 modifying header fields (Section 8). If there is a conflict between 736 the method semantics and any semantic implied by the URI itself, as 737 described in Section 7.2.1, the method semantics take precedence. 739 IANA maintains the registry of URI Schemes [BCP35] at 740 . Although requests 741 might target any URI scheme, the following schemes are inherent to 742 HTTP servers: 744 +------------+------------------------------------+---------------+ 745 | URI Scheme | Description | Reference | 746 +------------+------------------------------------+---------------+ 747 | http | Hypertext Transfer Protocol | Section 2.5.1 | 748 | https | Hypertext Transfer Protocol Secure | Section 2.5.2 | 749 +------------+------------------------------------+---------------+ 751 2.5.1. http URI Scheme 753 The "http" URI scheme is hereby defined for the purpose of minting 754 identifiers according to their association with the hierarchical 755 namespace governed by a potential HTTP origin server listening for 756 TCP ([RFC0793]) connections on a given port. 758 http-URI = "http:" "//" authority path-abempty [ "?" query ] 760 The origin server for an "http" URI is identified by the authority 761 component, which includes a host identifier and optional TCP port 762 ([RFC3986], Section 3.2.2). The hierarchical path component and 763 optional query component serve as an identifier for a potential 764 target resource within that origin server's name space. 766 A sender MUST NOT generate an "http" URI with an empty host 767 identifier. A recipient that processes such a URI reference MUST 768 reject it as invalid. 770 If the host identifier is provided as an IP address, the origin 771 server is the listener (if any) on the indicated TCP port at that IP 772 address. If host is a registered name, the registered name is an 773 indirect identifier for use with a name resolution service, such as 774 DNS, to find an address for that origin server. If the port 775 subcomponent is empty or not given, TCP port 80 (the reserved port 776 for WWW services) is the default. 778 Note that the presence of a URI with a given authority component does 779 not imply that there is always an HTTP server listening for 780 connections on that host and port. Anyone can mint a URI. What the 781 authority component determines is who has the right to respond 782 authoritatively to requests that target the identified resource. The 783 delegated nature of registered names and IP addresses creates a 784 federated namespace, based on control over the indicated host and 785 port, whether or not an HTTP server is present. See Section 13.1 for 786 security considerations related to establishing authority. 788 When an "http" URI is used within a context that calls for access to 789 the indicated resource, a client MAY attempt access by resolving the 790 host to an IP address, establishing a TCP connection to that address 791 on the indicated port, and sending an HTTP request message (Section 2 792 of [Messaging]) containing the URI's identifying data to the server. 793 If the server responds to that request with a non-interim HTTP 794 response message, as described in Section 9, then that response is 795 considered an authoritative answer to the client's request. 797 Although HTTP is independent of the transport protocol, the "http" 798 scheme is specific to TCP-based services because the name delegation 799 process depends on TCP for establishing authority. An HTTP service 800 based on some other underlying connection protocol would presumably 801 be identified using a different URI scheme, just as the "https" 802 scheme (below) is used for resources that require an end-to-end 803 secured connection. Other protocols might also be used to provide 804 access to "http" identified resources -- it is only the authoritative 805 interface that is specific to TCP. 807 The URI generic syntax for authority also includes a deprecated 808 userinfo subcomponent ([RFC3986], Section 3.2.1) for including user 809 authentication information in the URI. Some implementations make use 810 of the userinfo component for internal configuration of 811 authentication information, such as within command invocation 812 options, configuration files, or bookmark lists, even though such 813 usage might expose a user identifier or password. A sender MUST NOT 814 generate the userinfo subcomponent (and its "@" delimiter) when an 815 "http" URI reference is generated within a message as a request 816 target or header field value. Before making use of an "http" URI 817 reference received from an untrusted source, a recipient SHOULD parse 818 for userinfo and treat its presence as an error; it is likely being 819 used to obscure the authority for the sake of phishing attacks. 821 2.5.2. https URI Scheme 823 The "https" URI scheme is hereby defined for the purpose of minting 824 identifiers according to their association with the hierarchical 825 namespace governed by a potential HTTP origin server listening to a 826 given TCP port for TLS-secured connections ([RFC8446]). 828 All of the requirements listed above for the "http" scheme are also 829 requirements for the "https" scheme, except that TCP port 443 is the 830 default if the port subcomponent is empty or not given, and the user 831 agent MUST ensure that its connection to the origin server is secured 832 through the use of strong encryption, end-to-end, prior to sending 833 the first HTTP request. 835 https-URI = "https:" "//" authority path-abempty [ "?" query ] 837 Note that the "https" URI scheme depends on both TLS and TCP for 838 establishing authority. Resources made available via the "https" 839 scheme have no shared identity with the "http" scheme even if their 840 resource identifiers indicate the same authority (the same host 841 listening to the same TCP port). They are distinct namespaces and 842 are considered to be distinct origin servers. However, an extension 843 to HTTP that is defined to apply to entire host domains, such as the 844 Cookie protocol [RFC6265], can allow information set by one service 845 to impact communication with other services within a matching group 846 of host domains. 848 2.5.2.1. Initiating HTTP Over TLS 850 Conceptually, HTTP/TLS is very simple. Simply use HTTP over TLS 851 precisely as you would use HTTP over TCP. 853 The agent acting as the HTTP client should also act as the TLS 854 client. It should initiate a connection to the server on the 855 appropriate port and then send the TLS ClientHello to begin the TLS 856 handshake. When the TLS handshake has finished. The client may then 857 initiate the first HTTP request. All HTTP data MUST be sent as TLS 858 "application data". Normal HTTP behavior, including retained 859 connections should be followed. 861 2.5.2.2. Identifying HTTPS Servers 863 In general, HTTP/TLS requests are generated by dereferencing a URI. 864 As a consequence, the hostname for the server is known to the client. 865 If the hostname is available, the client MUST check it against the 866 server's identity as presented in the server's Certificate message, 867 in order to prevent man-in-the-middle attacks. 869 If the client has external information as to the expected identity of 870 the server, the hostname check MAY be omitted. (For instance, a 871 client may be connecting to a machine whose address and hostname are 872 dynamic but the client knows the certificate that the server will 873 present.) In such cases, it is important to narrow the scope of 874 acceptable certificates as much as possible in order to prevent man 875 in the middle attacks. In special cases, it may be appropriate for 876 the client to simply ignore the server's identity, but it must be 877 understood that this leaves the connection open to active attack. 879 If a subjectAltName extension of type dNSName is present, that MUST 880 be used as the identity. Otherwise, the (most specific) Common Name 881 field in the Subject field of the certificate MUST be used. Although 882 the use of the Common Name is existing practice, it is deprecated and 883 Certification Authorities are encouraged to use the dNSName instead. 885 Matching is performed using the matching rules specified by 886 [RFC5280]. If more than one identity of a given type is present in 887 the certificate (e.g., more than one dNSName name, a match in any one 888 of the set is considered acceptable.) Names may contain the wildcard 889 character * which is considered to match any single domain name 890 component or component fragment. E.g., *.a.com matches foo.a.com but 891 not bar.foo.a.com. f*.com matches foo.com but not bar.com. 893 In some cases, the URI is specified as an IP address rather than a 894 hostname. In this case, the iPAddress subjectAltName must be present 895 in the certificate and must exactly match the IP in the URI. 897 If the hostname does not match the identity in the certificate, user 898 oriented clients MUST either notify the user (clients MAY give the 899 user the opportunity to continue with the connection in any case) or 900 terminate the connection with a bad certificate error. Automated 901 clients MUST log the error to an appropriate audit log (if available) 902 and SHOULD terminate the connection (with a bad certificate error). 903 Automated clients MAY provide a configuration setting that disables 904 this check, but MUST provide a setting which enables it. 906 Note that in many cases the URI itself comes from an untrusted 907 source. The above-described check provides no protection against 908 attacks where this source is compromised. For example, if the URI 909 was obtained by clicking on an HTML page which was itself obtained 910 without using HTTP/TLS, a man in the middle could have replaced the 911 URI. In order to prevent this form of attack, users should carefully 912 examine the certificate presented by the server to determine if it 913 meets their expectations. 915 2.5.2.3. Identifying HTTPS Clients 917 Typically, the server has no external knowledge of what the client's 918 identity ought to be and so checks (other than that the client has a 919 certificate chain rooted in an appropriate CA) are not possible. If 920 a server has such knowledge (typically from some source external to 921 HTTP or TLS) it SHOULD check the identity as described above. 923 2.5.3. Fragment Identifiers on http(s) URI References 925 Fragment identifiers allow for indirect identification of a secondary 926 resource, independent of the URI scheme, as defined in Section 3.5 of 927 [RFC3986]. Some protocol elements that refer to a URI allow 928 inclusion of a fragment, while others do not. They are distinguished 929 by use of the ABNF rule for elements where fragment is allowed; 930 otherwise, a specific rule that excludes fragments is used (see 931 Section 5.1). 933 Note: the fragment identifier component is not part of the actual 934 scheme definition for a URI scheme (see Section 4.3 of [RFC3986]), 935 thus does not appear in the ABNF definitions for the "http" and 936 "https" URI schemes above. 938 2.5.4. http and https URI Normalization and Comparison 940 Since the "http" and "https" schemes conform to the URI generic 941 syntax, such URIs are normalized and compared according to the 942 algorithm defined in Section 6 of [RFC3986], using the defaults 943 described above for each scheme. 945 If the port is equal to the default port for a scheme, the normal 946 form is to omit the port subcomponent. When not being used in 947 absolute form as the request target of an OPTIONS request, an empty 948 path component is equivalent to an absolute path of "/", so the 949 normal form is to provide a path of "/" instead. The scheme and host 950 are case-insensitive and normally provided in lowercase; all other 951 components are compared in a case-sensitive manner. Characters other 952 than those in the "reserved" set are equivalent to their percent- 953 encoded octets: the normal form is to not encode them (see Sections 954 2.1 and 2.2 of [RFC3986]). 956 For example, the following three URIs are equivalent: 958 http://example.com:80/~smith/home.html 959 http://EXAMPLE.com/%7Esmith/home.html 960 http://EXAMPLE.com:/%7esmith/home.html 962 3. Conformance 964 3.1. Implementation Diversity 966 When considering the design of HTTP, it is easy to fall into a trap 967 of thinking that all user agents are general-purpose browsers and all 968 origin servers are large public websites. That is not the case in 969 practice. Common HTTP user agents include household appliances, 970 stereos, scales, firmware update scripts, command-line programs, 971 mobile apps, and communication devices in a multitude of shapes and 972 sizes. Likewise, common HTTP origin servers include home automation 973 units, configurable networking components, office machines, 974 autonomous robots, news feeds, traffic cameras, ad selectors, and 975 video-delivery platforms. 977 The term "user agent" does not imply that there is a human user 978 directly interacting with the software agent at the time of a 979 request. In many cases, a user agent is installed or configured to 980 run in the background and save its results for later inspection (or 981 save only a subset of those results that might be interesting or 982 erroneous). Spiders, for example, are typically given a start URI 983 and configured to follow certain behavior while crawling the Web as a 984 hypertext graph. 986 The implementation diversity of HTTP means that not all user agents 987 can make interactive suggestions to their user or provide adequate 988 warning for security or privacy concerns. In the few cases where 989 this specification requires reporting of errors to the user, it is 990 acceptable for such reporting to only be observable in an error 991 console or log file. Likewise, requirements that an automated action 992 be confirmed by the user before proceeding might be met via advance 993 configuration choices, run-time options, or simple avoidance of the 994 unsafe action; confirmation does not imply any specific user 995 interface or interruption of normal processing if the user has 996 already made that choice. 998 3.2. Role-based Requirements 1000 This specification targets conformance criteria according to the role 1001 of a participant in HTTP communication. Hence, HTTP requirements are 1002 placed on senders, recipients, clients, servers, user agents, 1003 intermediaries, origin servers, proxies, gateways, or caches, 1004 depending on what behavior is being constrained by the requirement. 1005 Additional (social) requirements are placed on implementations, 1006 resource owners, and protocol element registrations when they apply 1007 beyond the scope of a single communication. 1009 The verb "generate" is used instead of "send" where a requirement 1010 differentiates between creating a protocol element and merely 1011 forwarding a received element downstream. 1013 An implementation is considered conformant if it complies with all of 1014 the requirements associated with the roles it partakes in HTTP. 1016 Conformance includes both the syntax and semantics of protocol 1017 elements. A sender MUST NOT generate protocol elements that convey a 1018 meaning that is known by that sender to be false. A sender MUST NOT 1019 generate protocol elements that do not match the grammar defined by 1020 the corresponding ABNF rules. Within a given message, a sender MUST 1021 NOT generate protocol elements or syntax alternatives that are only 1022 allowed to be generated by participants in other roles (i.e., a role 1023 that the sender does not have for that message). 1025 3.3. Parsing Elements 1027 When a received protocol element is parsed, the recipient MUST be 1028 able to parse any value of reasonable length that is applicable to 1029 the recipient's role and that matches the grammar defined by the 1030 corresponding ABNF rules. Note, however, that some received protocol 1031 elements might not be parsed. For example, an intermediary 1032 forwarding a message might parse a header-field into generic field- 1033 name and field-value components, but then forward the header field 1034 without further parsing inside the field-value. 1036 HTTP does not have specific length limitations for many of its 1037 protocol elements because the lengths that might be appropriate will 1038 vary widely, depending on the deployment context and purpose of the 1039 implementation. Hence, interoperability between senders and 1040 recipients depends on shared expectations regarding what is a 1041 reasonable length for each protocol element. Furthermore, what is 1042 commonly understood to be a reasonable length for some protocol 1043 elements has changed over the course of the past two decades of HTTP 1044 use and is expected to continue changing in the future. 1046 At a minimum, a recipient MUST be able to parse and process protocol 1047 element lengths that are at least as long as the values that it 1048 generates for those same protocol elements in other messages. For 1049 example, an origin server that publishes very long URI references to 1050 its own resources needs to be able to parse and process those same 1051 references when received as a request target. 1053 3.4. Error Handling 1055 A recipient MUST interpret a received protocol element according to 1056 the semantics defined for it by this specification, including 1057 extensions to this specification, unless the recipient has determined 1058 (through experience or configuration) that the sender incorrectly 1059 implements what is implied by those semantics. For example, an 1060 origin server might disregard the contents of a received Accept- 1061 Encoding header field if inspection of the User-Agent header field 1062 indicates a specific implementation version that is known to fail on 1063 receipt of certain content codings. 1065 Unless noted otherwise, a recipient MAY attempt to recover a usable 1066 protocol element from an invalid construct. HTTP does not define 1067 specific error handling mechanisms except when they have a direct 1068 impact on security, since different applications of the protocol 1069 require different error handling strategies. For example, a Web 1070 browser might wish to transparently recover from a response where the 1071 Location header field doesn't parse according to the ABNF, whereas a 1072 systems control client might consider any form of error recovery to 1073 be dangerous. 1075 Some requests can be automatically retried by a client in the event 1076 of an underlying connection failure, as described in Section 7.2.2. 1078 3.5. Protocol Versioning 1080 The HTTP version number consists of two decimal digits separated by a 1081 "." (period or decimal point). The first digit ("major version") 1082 indicates the HTTP messaging syntax, whereas the second digit ("minor 1083 version") indicates the highest minor version within that major 1084 version to which the sender is conformant and able to understand for 1085 future communication. 1087 The protocol version as a whole indicates the sender's conformance 1088 with the set of requirements laid out in that version's corresponding 1089 specification of HTTP. For example, the version "HTTP/1.1" is 1090 defined by the combined specifications of this document, "HTTP 1091 Caching" [Caching], and "HTTP/1.1 Messaging" [Messaging]. 1093 The minor version advertises the sender's communication capabilities 1094 even when the sender is only using a backwards-compatible subset of 1095 the protocol, thereby letting the recipient know that more advanced 1096 features can be used in response (by servers) or in future requests 1097 (by clients). 1099 A client SHOULD send a request version equal to the highest version 1100 to which the client is conformant and whose major version is no 1101 higher than the highest version supported by the server, if this is 1102 known. A client MUST NOT send a version to which it is not 1103 conformant. 1105 A client MAY send a lower request version if it is known that the 1106 server incorrectly implements the HTTP specification, but only after 1107 the client has attempted at least one normal request and determined 1108 from the response status code or header fields (e.g., Server) that 1109 the server improperly handles higher request versions. 1111 A server SHOULD send a response version equal to the highest version 1112 to which the server is conformant that has a major version less than 1113 or equal to the one received in the request. A server MUST NOT send 1114 a version to which it is not conformant. A server can send a 505 1115 (HTTP Version Not Supported) response if it wishes, for any reason, 1116 to refuse service of the client's major protocol version. 1118 HTTP's major version number is incremented when an incompatible 1119 message syntax is introduced. The minor number is incremented when 1120 changes made to the protocol have the effect of adding to the message 1121 semantics or implying additional capabilities of the sender. 1123 When an HTTP message is received with a major version number that the 1124 recipient implements, but a higher minor version number than what the 1125 recipient implements, the recipient SHOULD process the message as if 1126 it were in the highest minor version within that major version to 1127 which the recipient is conformant. A recipient can assume that a 1128 message with a higher minor version, when sent to a recipient that 1129 has not yet indicated support for that higher version, is 1130 sufficiently backwards-compatible to be safely processed by any 1131 implementation of the same major version. 1133 When a major version of HTTP does not define any minor versions, the 1134 minor version "0" is implied and is used when referring to that 1135 protocol within a protocol element that requires sending a minor 1136 version. 1138 4. Header Fields 1140 This section defines the abstraction for message fields as field-name 1141 and field-value pairs. 1143 4.1. Header Field Names 1145 Header fields are key:value pairs that can be used to communicate 1146 data about the message, its payload, the target resource, or the 1147 connection (i.e., control data). 1149 The requirements for header field names are defined in [BCP90]. 1151 The field-name token labels the corresponding field-value as having 1152 the semantics defined by that header field. For example, the Date 1153 header field is defined in Section 10.1.1.2 as containing the 1154 origination timestamp for the message in which it appears. 1156 field-name = token 1158 The interpretation of a header field does not change between minor 1159 versions of the same major HTTP version, though the default behavior 1160 of a recipient in the absence of such a field can change. Unless 1161 specified otherwise, header fields are defined for all versions of 1162 HTTP. In particular, the Host and Connection header fields ought to 1163 be implemented by all HTTP/1.x implementations whether or not they 1164 advertise conformance with HTTP/1.1. 1166 New header fields can be introduced without changing the protocol 1167 version if their defined semantics allow them to be safely ignored by 1168 recipients that do not recognize them. Header field extensibility is 1169 discussed in Section 4.1.2. 1171 The following field names are defined by this document: 1173 +---------------------------+------------+-------------------+ 1174 | Header Field Name | Status | Reference | 1175 +---------------------------+------------+-------------------+ 1176 | Accept | standard | Section 8.4.2 | 1177 | Accept-Charset | deprecated | Section 8.4.3 | 1178 | Accept-Encoding | standard | Section 8.4.4 | 1179 | Accept-Language | standard | Section 8.4.5 | 1180 | Accept-Ranges | standard | Section 10.4.1 | 1181 | Allow | standard | Section 10.4.2 | 1182 | Authentication-Info | standard | Section 10.3.3 | 1183 | Authorization | standard | Section 8.5.3 | 1184 | Content-Encoding | standard | Section 6.2.2 | 1185 | Content-Language | standard | Section 6.2.3 | 1186 | Content-Length | standard | Section 6.2.4 | 1187 | Content-Location | standard | Section 6.2.5 | 1188 | Content-Range | standard | Section 6.3.4 | 1189 | Content-Type | standard | Section 6.2.1 | 1190 | Date | standard | Section 10.1.1.2 | 1191 | ETag | standard | Section 10.2.3 | 1192 | Expect | standard | Section 8.1.1 | 1193 | From | standard | Section 8.6.1 | 1194 | Host | standard | Section 5.4 | 1195 | If-Match | standard | Section 8.2.3 | 1196 | If-Modified-Since | standard | Section 8.2.5 | 1197 | If-None-Match | standard | Section 8.2.4 | 1198 | If-Range | standard | Section 8.2.7 | 1199 | If-Unmodified-Since | standard | Section 8.2.6 | 1200 | Last-Modified | standard | Section 10.2.2 | 1201 | Location | standard | Section 10.1.2 | 1202 | Max-Forwards | standard | Section 8.1.2 | 1203 | Proxy-Authenticate | standard | Section 10.3.2 | 1204 | Proxy-Authentication-Info | standard | Section 10.3.4 | 1205 | Proxy-Authorization | standard | Section 8.5.4 | 1206 | Range | standard | Section 8.3 | 1207 | Referer | standard | Section 8.6.2 | 1208 | Retry-After | standard | Section 10.1.3 | 1209 | Server | standard | Section 10.4.3 | 1210 | Trailer | standard | Section 4.3.3 | 1211 | User-Agent | standard | Section 8.6.3 | 1212 | Vary | standard | Section 10.1.4 | 1213 | Via | standard | Section 5.5.1 | 1214 | WWW-Authenticate | standard | Section 10.3.1 | 1215 +---------------------------+------------+-------------------+ 1217 Table 1 1219 4.1.1. Header Field Name Registry 1221 The "Hypertext Transfer Protocol (HTTP) Header Field Registry" 1222 defines the namespace for HTTP header field names. 1224 Any party can request registration of a HTTP header field. See 1225 Section 4.4 for considerations to take into account when creating a 1226 new HTTP header field. 1228 The "HTTP Header Field Name" registry is located at 1229 "https://www.iana.org/assignments/http-headers/". Registration 1230 requests can be made by following the instructions located there or 1231 by sending an email to the "ietf-http-wg@ietf.org" mailing list. 1233 Header field names are registered on the advice of a Designated 1234 Expert (appointed by the IESG or their delegate). Header fields with 1235 the status 'permanent' are Specification Required (using terminology 1236 from [RFC8126]). 1238 Registration requests consist of at least the following information: 1240 o Header field name: The requested field name. It MUST conform to 1241 the field-name syntax defined in Section 4.1, and SHOULD be 1242 restricted to just letters, digits, hyphen ('-') and underscore 1243 ('_') characters, with the first character being a letter. 1245 o Status: "permanent" or "provisional" 1247 o Specification document(s): Reference to the document that 1248 specifies the header field, preferably including a URI that can be 1249 used to retrieve a copy of the document. An indication of the 1250 relevant section(s) can also be included, but is not required. 1252 The Expert(s) can define additional fields to be collected in the 1253 registry, in consultation with the community. 1255 Standards-defined names have a status of "permanent". Other names 1256 can also be registered as permanent, if the Expert(s) find that they 1257 are in use, in consultation with the community. Other names should 1258 be registered as "provisional". 1260 Provisional entries can be removed by the Expert(s) if -- in 1261 consultation with the community -- the Expert(s) find that they are 1262 not in use. The Experts can change a provisional entry's status to 1263 permanent at any time. 1265 Note that names can be registered by third parties (including the 1266 Expert(s)), if the Expert(s) determines that an unregistered name is 1267 widely deployed and not likely to be registered in a timely manner 1268 otherwise. 1270 4.1.2. Header Field Extensibility 1272 Header fields are fully extensible: there is no limit on the 1273 introduction of new field names, each presumably defining new 1274 semantics, nor on the number of header fields used in a given 1275 message. Existing fields are defined in each part of this 1276 specification and in many other specifications outside this document 1277 set. 1279 New header fields can be defined such that, when they are understood 1280 by a recipient, they might override or enhance the interpretation of 1281 previously defined header fields, define preconditions on request 1282 evaluation, or refine the meaning of responses. 1284 A proxy MUST forward unrecognized header fields unless the field-name 1285 is listed in the Connection header field (Section 9.1 of [Messaging]) 1286 or the proxy is specifically configured to block, or otherwise 1287 transform, such fields. Other recipients SHOULD ignore unrecognized 1288 header fields. These requirements allow HTTP's functionality to be 1289 enhanced without requiring prior update of deployed intermediaries. 1291 All defined header fields ought to be registered with IANA in the 1292 "HTTP Header Field Name" registry. 1294 4.2. Header Field Values 1296 This specification does not use ABNF rules to define each "Field- 1297 Name: Field Value" pair, as was done in earlier editions. Instead, 1298 this specification uses ABNF rules that are named according to each 1299 registered field name, wherein the rule defines the valid grammar for 1300 that field's corresponding field values (i.e., after the field-value 1301 has been extracted by a generic field parser). 1303 field-value = *( field-content / obs-fold ) 1304 field-content = field-vchar 1305 [ 1*( SP / HTAB / field-vchar ) field-vchar ] 1306 field-vchar = VCHAR / obs-text 1308 Historically, HTTP header field values could be extended over 1309 multiple lines by preceding each extra line with at least one space 1310 or horizontal tab (obs-fold). [[CREF1: This document assumes that 1311 any such obs-fold has been replaced with one or more SP octets prior 1312 to interpreting the field value, as described in Section 5.2 of 1313 [Messaging].]] 1314 Historically, HTTP has allowed field content with text in the 1315 ISO-8859-1 charset [ISO-8859-1], supporting other charsets only 1316 through use of [RFC2047] encoding. In practice, most HTTP header 1317 field values use only a subset of the US-ASCII charset [USASCII]. 1318 Newly defined header fields SHOULD limit their field values to 1319 US-ASCII octets. A recipient SHOULD treat other octets in field 1320 content (obs-text) as opaque data. 1322 4.2.1. Header Field Order 1324 The order in which header fields with differing field names are 1325 received is not significant. However, it is good practice to send 1326 header fields that contain control data first, such as Host on 1327 requests and Date on responses, so that implementations can decide 1328 when not to handle a message as early as possible. A server MUST NOT 1329 apply a request to the target resource until the entire request 1330 header section is received, since later header fields might include 1331 conditionals, authentication credentials, or deliberately misleading 1332 duplicate header fields that would impact request processing. 1334 Aside from the well-known exception noted below, a sender MUST NOT 1335 generate multiple header fields with the same field name in a 1336 message, or append a header field when a field of the same name 1337 already exists in the message, unless that field's definition allows 1338 multiple field values to be recombined as a comma-separated list 1339 [i.e., at least one alternative of the field's definition allows a 1340 comma-separated list, such as an ABNF rule of #(values)]. 1342 A recipient MAY combine multiple header fields with the same field 1343 name into one "field-name: field-value" pair, without changing the 1344 semantics of the message, by appending each subsequent field value to 1345 the combined field value in order, separated by a comma. The order 1346 in which header fields with the same field name are received is 1347 therefore significant to the interpretation of the combined field 1348 value; a proxy MUST NOT change the order of these field values when 1349 forwarding a message. 1351 Note: In practice, the "Set-Cookie" header field ([RFC6265]) often 1352 appears multiple times in a response message and does not use the 1353 list syntax, violating the above requirements on multiple header 1354 fields with the same name. Since it cannot be combined into a 1355 single field-value, recipients ought to handle "Set-Cookie" as a 1356 special case while processing header fields. (See Appendix A.2.3 1357 of [Kri2001] for details.) 1359 4.2.2. Header Field Limits 1361 HTTP does not place a predefined limit on the length of each header 1362 field or on the length of the header section as a whole, as described 1363 in Section 3. Various ad hoc limitations on individual header field 1364 length are found in practice, often depending on the specific field 1365 semantics. 1367 A server that receives a request header field, or set of fields, 1368 larger than it wishes to process MUST respond with an appropriate 4xx 1369 (Client Error) status code. Ignoring such header fields would 1370 increase the server's vulnerability to request smuggling attacks 1371 (Section 11.2 of [Messaging]). 1373 A client MAY discard or truncate received header fields that are 1374 larger than the client wishes to process if the field semantics are 1375 such that the dropped value(s) can be safely ignored without changing 1376 the message framing or response semantics. 1378 4.2.3. Header Field Value Components 1380 Many HTTP header field values are defined using common syntax 1381 components, separated by whitespace or specific delimiting 1382 characters. Delimiters are chosen from the set of US-ASCII visual 1383 characters not allowed in a token (DQUOTE and "(),/:;<=>?@[\]{}"). 1385 4.2.3.1. Tokens 1387 Tokens are short textual identifiers that do not include whitespace 1388 or delimiters. 1390 token = 1*tchar 1392 tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" 1393 / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" 1394 / DIGIT / ALPHA 1395 ; any VCHAR, except delimiters 1397 4.2.3.2. Quoted Strings 1399 A string of text is parsed as a single value if it is quoted using 1400 double-quote marks. 1402 quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE 1403 qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text 1404 obs-text = %x80-FF 1406 The backslash octet ("\") can be used as a single-octet quoting 1407 mechanism within quoted-string and comment constructs. Recipients 1408 that process the value of a quoted-string MUST handle a quoted-pair 1409 as if it were replaced by the octet following the backslash. 1411 quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) 1413 A sender SHOULD NOT generate a quoted-pair in a quoted-string except 1414 where necessary to quote DQUOTE and backslash octets occurring within 1415 that string. A sender SHOULD NOT generate a quoted-pair in a comment 1416 except where necessary to quote parentheses ["(" and ")"] and 1417 backslash octets occurring within that comment. 1419 4.2.3.3. Comments 1421 Comments can be included in some HTTP header fields by surrounding 1422 the comment text with parentheses. Comments are only allowed in 1423 fields containing "comment" as part of their field value definition. 1425 comment = "(" *( ctext / quoted-pair / comment ) ")" 1426 ctext = HTAB / SP / %x21-27 / %x2A-5B / %x5D-7E / obs-text 1428 4.2.3.4. Parameters 1430 A parameter is a name=value pair that is often defined within header 1431 field values as a common syntax for appending auxiliary information 1432 to an item. Each parameter is usually delimited by an immediately 1433 preceding semicolon. 1435 parameter = parameter-name "=" parameter-value 1436 parameter-name = token 1437 parameter-value = ( token / quoted-string ) 1439 Parameter names are case-insensitive. Parameter values might or 1440 might not be case-sensitive, depending on the semantics of the 1441 parameter name. Examples of parameters and some equivalent forms can 1442 be seen in media types (Section 6.1.1) and the Accept header field 1443 (Section 8.4.2). 1445 A parameter value that matches the token production can be 1446 transmitted either as a token or within a quoted-string. The quoted 1447 and unquoted values are equivalent. 1449 Note: Parameters do not allow whitespace (not even "bad" 1450 whitespace) around the "=" character. 1452 4.3. Trailer Fields 1454 4.3.1. Purpose 1456 In some HTTP versions, additional metadata can be sent after the 1457 initial header section has been completed (during or after 1458 transmission of the payload body), such as a message integrity check, 1459 digital signature, or post-processing status. For example, the 1460 chunked coding in HTTP/1.1 allows a trailer section after the payload 1461 body (Section 7.1.2 of [Messaging]) which can contain trailer fields: 1462 field names and values that share the same syntax and namespace as 1463 header fields but are received after the header section. 1465 Trailer fields ought to be processed and stored separately from the 1466 fields in the header section to avoid contradicting message semantics 1467 known at the time the header section was complete. The presence or 1468 absence of certain header fields might impact choices made for the 1469 routing or processing of the message as a whole before the trailers 1470 are received; those choices cannot be unmade by the later discovery 1471 of trailer fields. 1473 4.3.2. Limitations 1475 Many header fields cannot be processed outside the header section 1476 because their evaluation is necessary prior to receiving the message 1477 body, such as fields that describe message framing, routing, 1478 authentication, request modifiers, response controls, or payload 1479 format. A sender MUST NOT generate a trailer field unless the sender 1480 knows the corresponding header field name's definition permits the 1481 field to be sent in trailers. 1483 Trailer fields can be difficult to process by intermediaries that 1484 forward messages from one protocol version to another. If the entire 1485 message can be buffered in transit, some intermediaries could merge 1486 trailer fields into the header section (as appropriate) before it is 1487 forwarded. However, in most cases, the trailers are simply 1488 discarded. A recipient MUST NOT merge a trailer field into a header 1489 section unless the recipient understands the corresponding header 1490 field definition and that definition explicitly permits and defines 1491 how trailer field values can be safely merged. 1493 A client can send a TE header field indicating "trailers" is 1494 acceptable, as described in Section 7.4 of [Messaging], to inform the 1495 server that it will not discard trailer fields. 1497 Because of the potential for trailer fields to be discarded in 1498 transit, a server SHOULD NOT generate trailer fields that it believes 1499 are necessary for the user agent to receive. 1501 4.3.3. Trailer 1503 The "Trailer" header field provides a list of field names that the 1504 sender anticipates sending as trailer fields within that message. 1505 This allows a recipient to prepare for receipt of the indicated 1506 metadata before it starts processing the body. 1508 Trailer = 1#field-name 1510 For example, a sender might indicate that a message integrity check 1511 will be computed as the payload is being streamed and provide the 1512 final signature as a trailer field. This allows a recipient to 1513 perform the same check on the fly as the payload data is received. 1515 A sender that intends to generate one or more trailer fields in a 1516 message SHOULD generate a Trailer header field in the header section 1517 of that message to indicate which fields might be present in the 1518 trailers. 1520 4.4. Considerations for New Header Fields 1522 Authors of specifications defining new fields are advised to choose a 1523 short but descriptive field name. Short names avoid needless data 1524 transmission; descriptive names avoid confusion and "squatting" on 1525 names that might have broader uses. 1527 To that end, limited-use fields (such as a header confined to a 1528 single application or use case) are encouraged to use a name that 1529 includes its name (or an abbreviation) as a prefix; for example, if 1530 the Foo Application needs a Description field, it might use "Foo- 1531 Desc"; "Description" is too generic, and "Foo-Description" is 1532 needlessly long. 1534 Header field names ought not be prefixed with "X-"; see [BCP178] for 1535 further information. 1537 Other prefixes are sometimes used in HTTP header field names; for 1538 example, "Accept-" is used in many content negotiation headers. 1539 These prefixes are only an aid to recognizing the purpose of a header 1540 field, and do not trigger automatic processing. 1542 Header field values typically have their syntax defined using ABNF 1543 ([RFC5234]), using the extension defined in Section 12 as necessary, 1544 and are usually constrained to the range of US-ASCII characters. 1545 Header fields needing a greater range of characters can use an 1546 encoding such as the one defined in [RFC8187]. 1548 Leading and trailing whitespace in raw field values is removed upon 1549 field parsing (Section 5.1 of [Messaging]). Field definitions where 1550 leading or trailing whitespace in values is significant will have to 1551 use a container syntax such as quoted-string (Section 4.2.3.2). 1553 Because commas (",") are used as a generic delimiter between field- 1554 values, they need to be treated with care if they are allowed in the 1555 field-value. Typically, components that might contain a comma are 1556 protected with double-quotes using the quoted-string ABNF production. 1558 For example, a textual date and a URI (either of which might contain 1559 a comma) could be safely carried in field-values like these: 1561 Example-URI-Field: "http://example.com/a.html,foo", 1562 "http://without-a-comma.example.com/" 1563 Example-Date-Field: "Sat, 04 May 1996", "Wed, 14 Sep 2005" 1565 Note that double-quote delimiters almost always are used with the 1566 quoted-string production; using a different syntax inside double- 1567 quotes will likely cause unnecessary confusion. 1569 Many header fields (such as Content-Type, defined in Section 6.2.1) 1570 use a common syntax for parameters that allows both unquoted (token) 1571 and quoted (quoted-string) syntax for a parameter value 1572 (Section 4.2.3.4). Use of common syntax allows recipients to reuse 1573 existing parser components. When allowing both forms, the meaning of 1574 a parameter value ought to be the same whether it was received as a 1575 token or a quoted string. 1577 Authors of specifications defining new header fields are advised to 1578 consider documenting: 1580 o Whether the field is a single value or whether it can be a list 1581 (delimited by commas; see Section 4.2). 1583 If it does not use the list syntax, document how to treat messages 1584 where the field occurs multiple times (a sensible default would be 1585 to ignore the field, but this might not always be the right 1586 choice). 1588 Note that intermediaries and software libraries might combine 1589 multiple header field instances into a single one, despite the 1590 field's definition not allowing the list syntax. A robust format 1591 enables recipients to discover these situations (good example: 1592 "Content-Type", as the comma can only appear inside quoted 1593 strings; bad example: "Location", as a comma can occur inside a 1594 URI). 1596 o Under what conditions the header field can be used; e.g., only in 1597 responses or requests, in all messages, only on responses to a 1598 particular request method, etc. 1600 o Whether the field should be stored by origin servers that 1601 understand it upon a PUT request. 1603 o Whether the field semantics are further refined by the context, 1604 such as by existing request methods or status codes. 1606 o Whether it is appropriate to list the field-name in the Connection 1607 header field (i.e., if the header field is to be hop-by-hop; see 1608 Section 9.1 of [Messaging]). 1610 o Under what conditions intermediaries are allowed to insert, 1611 delete, or modify the field's value. 1613 o Whether it is appropriate to list the field-name in a Vary 1614 response header field (e.g., when the request header field is used 1615 by an origin server's content selection algorithm; see 1616 Section 10.1.4). 1618 o Whether the header field is useful or allowable in trailers (see 1619 Section 7.1 of [Messaging]). 1621 o Whether the header field ought to be preserved across redirects. 1623 o Whether it introduces any additional security considerations, such 1624 as disclosure of privacy-related data. 1626 5. Message Routing 1628 HTTP request message routing is determined by each client based on 1629 the target resource, the client's proxy configuration, and 1630 establishment or reuse of an inbound connection. The corresponding 1631 response routing follows the same connection chain back to the 1632 client. 1634 5.1. Identifying a Target Resource 1636 HTTP is used in a wide variety of applications, ranging from general- 1637 purpose computers to home appliances. In some cases, communication 1638 options are hard-coded in a client's configuration. However, most 1639 HTTP clients rely on the same resource identification mechanism and 1640 configuration techniques as general-purpose Web browsers. 1642 HTTP communication is initiated by a user agent for some purpose. 1643 The purpose is a combination of request semantics and a target 1644 resource upon which to apply those semantics. A URI reference 1645 (Section 2.4) is typically used as an identifier for the "target 1646 resource", which a user agent would resolve to its absolute form in 1647 order to obtain the "target URI". The target URI excludes the 1648 reference's fragment component, if any, since fragment identifiers 1649 are reserved for client-side processing ([RFC3986], Section 3.5). 1651 5.2. Routing Inbound 1653 Once the target URI is determined, a client needs to decide whether a 1654 network request is necessary to accomplish the desired semantics and, 1655 if so, where that request is to be directed. 1657 If the client has a cache [Caching] and the request can be satisfied 1658 by it, then the request is usually directed there first. 1660 If the request is not satisfied by a cache, then a typical client 1661 will check its configuration to determine whether a proxy is to be 1662 used to satisfy the request. Proxy configuration is implementation- 1663 dependent, but is often based on URI prefix matching, selective 1664 authority matching, or both, and the proxy itself is usually 1665 identified by an "http" or "https" URI. If a proxy is applicable, 1666 the client connects inbound by establishing (or reusing) a connection 1667 to that proxy. 1669 If no proxy is applicable, a typical client will invoke a handler 1670 routine, usually specific to the target URI's scheme, to connect 1671 directly to an authority for the target resource. How that is 1672 accomplished is dependent on the target URI scheme and defined by its 1673 associated specification, similar to how this specification defines 1674 origin server access for resolution of the "http" (Section 2.5.1) and 1675 "https" (Section 2.5.2) schemes. 1677 HTTP requirements regarding connection management are defined in 1678 Section 9 of [Messaging]. 1680 5.3. Effective Request URI 1682 Once an inbound connection is obtained, the client sends an HTTP 1683 request message (Section 2 of [Messaging]). 1685 Depending on the nature of the request, the client's target URI might 1686 be split into components and transmitted (or implied) within various 1687 parts of a request message. These parts are recombined by each 1688 recipient, in accordance with their local configuration and incoming 1689 connection context, to form an "effective request URI" for 1690 identifying the intended target resource with respect to that server. 1692 Section 3.3 of [Messaging] defines how a server determines the 1693 effective request URI for an HTTP/1.1 request. 1695 For a user agent, the effective request URI is the target URI. 1697 Once the effective request URI has been constructed, an origin server 1698 needs to decide whether or not to provide service for that URI via 1699 the connection in which the request was received. For example, the 1700 request might have been misdirected, deliberately or accidentally, 1701 such that the information within a received request-target or Host 1702 header field differs from the host or port upon which the connection 1703 has been made. If the connection is from a trusted gateway, that 1704 inconsistency might be expected; otherwise, it might indicate an 1705 attempt to bypass security filters, trick the server into delivering 1706 non-public content, or poison a cache. See Section 13 for security 1707 considerations regarding message routing. 1709 5.4. Host 1711 The "Host" header field in a request provides the host and port 1712 information from the target URI, enabling the origin server to 1713 distinguish among resources while servicing requests for multiple 1714 host names on a single IP address. 1716 Host = uri-host [ ":" port ] ; Section 2.4 1718 A client MUST send a Host header field in all HTTP/1.1 request 1719 messages. If the target URI includes an authority component, then a 1720 client MUST send a field-value for Host that is identical to that 1721 authority component, excluding any userinfo subcomponent and its "@" 1722 delimiter (Section 2.5.1). If the authority component is missing or 1723 undefined for the target URI, then a client MUST send a Host header 1724 field with an empty field-value. 1726 Since the Host field-value is critical information for handling a 1727 request, a user agent SHOULD generate Host as the first header field 1728 following the request-line. 1730 For example, a GET request to the origin server for 1731 would begin with: 1733 GET /pub/WWW/ HTTP/1.1 1734 Host: www.example.org 1736 A client MUST send a Host header field in an HTTP/1.1 request even if 1737 the request-target is in the absolute-form, since this allows the 1738 Host information to be forwarded through ancient HTTP/1.0 proxies 1739 that might not have implemented Host. 1741 When a proxy receives a request with an absolute-form of request- 1742 target, the proxy MUST ignore the received Host header field (if any) 1743 and instead replace it with the host information of the request- 1744 target. A proxy that forwards such a request MUST generate a new 1745 Host field-value based on the received request-target rather than 1746 forward the received Host field-value. 1748 Since the Host header field acts as an application-level routing 1749 mechanism, it is a frequent target for malware seeking to poison a 1750 shared cache or redirect a request to an unintended server. An 1751 interception proxy is particularly vulnerable if it relies on the 1752 Host field-value for redirecting requests to internal servers, or for 1753 use as a cache key in a shared cache, without first verifying that 1754 the intercepted connection is targeting a valid IP address for that 1755 host. 1757 A server MUST respond with a 400 (Bad Request) status code to any 1758 HTTP/1.1 request message that lacks a Host header field and to any 1759 request message that contains more than one Host header field or a 1760 Host header field with an invalid field-value. 1762 5.5. Message Forwarding 1764 As described in Section 2.2, intermediaries can serve a variety of 1765 roles in the processing of HTTP requests and responses. Some 1766 intermediaries are used to improve performance or availability. 1767 Others are used for access control or to filter content. Since an 1768 HTTP stream has characteristics similar to a pipe-and-filter 1769 architecture, there are no inherent limits to the extent an 1770 intermediary can enhance (or interfere) with either direction of the 1771 stream. 1773 An intermediary not acting as a tunnel MUST implement the Connection 1774 header field, as specified in Section 9.1 of [Messaging], and exclude 1775 fields from being forwarded that are only intended for the incoming 1776 connection. 1778 An intermediary MUST NOT forward a message to itself unless it is 1779 protected from an infinite request loop. In general, an intermediary 1780 ought to recognize its own server names, including any aliases, local 1781 variations, or literal IP addresses, and respond to such requests 1782 directly. 1784 An HTTP message can be parsed as a stream for incremental processing 1785 or forwarding downstream. However, recipients cannot rely on 1786 incremental delivery of partial messages, since some implementations 1787 will buffer or delay message forwarding for the sake of network 1788 efficiency, security checks, or payload transformations. 1790 5.5.1. Via 1792 The "Via" header field indicates the presence of intermediate 1793 protocols and recipients between the user agent and the server (on 1794 requests) or between the origin server and the client (on responses), 1795 similar to the "Received" header field in email (Section 3.6.7 of 1796 [RFC5322]). Via can be used for tracking message forwards, avoiding 1797 request loops, and identifying the protocol capabilities of senders 1798 along the request/response chain. 1800 Via = 1#( received-protocol RWS received-by [ RWS comment ] ) 1802 received-protocol = [ protocol-name "/" ] protocol-version 1803 ; see [Messaging], Section 9.9 1804 received-by = ( uri-host [ ":" port ] ) / pseudonym 1805 pseudonym = token 1807 Multiple Via field values represent each proxy or gateway that has 1808 forwarded the message. Each intermediary appends its own information 1809 about how the message was received, such that the end result is 1810 ordered according to the sequence of forwarding recipients. 1812 A proxy MUST send an appropriate Via header field, as described 1813 below, in each message that it forwards. An HTTP-to-HTTP gateway 1814 MUST send an appropriate Via header field in each inbound request 1815 message and MAY send a Via header field in forwarded response 1816 messages. 1818 For each intermediary, the received-protocol indicates the protocol 1819 and protocol version used by the upstream sender of the message. 1820 Hence, the Via field value records the advertised protocol 1821 capabilities of the request/response chain such that they remain 1822 visible to downstream recipients; this can be useful for determining 1823 what backwards-incompatible features might be safe to use in 1824 response, or within a later request, as described in Section 3.5. 1825 For brevity, the protocol-name is omitted when the received protocol 1826 is HTTP. 1828 The received-by portion of the field value is normally the host and 1829 optional port number of a recipient server or client that 1830 subsequently forwarded the message. However, if the real host is 1831 considered to be sensitive information, a sender MAY replace it with 1832 a pseudonym. If a port is not provided, a recipient MAY interpret 1833 that as meaning it was received on the default TCP port, if any, for 1834 the received-protocol. 1836 A sender MAY generate comments in the Via header field to identify 1837 the software of each recipient, analogous to the User-Agent and 1838 Server header fields. However, all comments in the Via field are 1839 optional, and a recipient MAY remove them prior to forwarding the 1840 message. 1842 For example, a request message could be sent from an HTTP/1.0 user 1843 agent to an internal proxy code-named "fred", which uses HTTP/1.1 to 1844 forward the request to a public proxy at p.example.net, which 1845 completes the request by forwarding it to the origin server at 1846 www.example.com. The request received by www.example.com would then 1847 have the following Via header field: 1849 Via: 1.0 fred, 1.1 p.example.net 1851 An intermediary used as a portal through a network firewall SHOULD 1852 NOT forward the names and ports of hosts within the firewall region 1853 unless it is explicitly enabled to do so. If not enabled, such an 1854 intermediary SHOULD replace each received-by host of any host behind 1855 the firewall by an appropriate pseudonym for that host. 1857 An intermediary MAY combine an ordered subsequence of Via header 1858 field entries into a single such entry if the entries have identical 1859 received-protocol values. For example, 1861 Via: 1.0 ricky, 1.1 ethel, 1.1 fred, 1.0 lucy 1863 could be collapsed to 1865 Via: 1.0 ricky, 1.1 mertz, 1.0 lucy 1867 A sender SHOULD NOT combine multiple entries unless they are all 1868 under the same organizational control and the hosts have already been 1869 replaced by pseudonyms. A sender MUST NOT combine entries that have 1870 different received-protocol values. 1872 5.5.2. Transformations 1874 Some intermediaries include features for transforming messages and 1875 their payloads. A proxy might, for example, convert between image 1876 formats in order to save cache space or to reduce the amount of 1877 traffic on a slow link. However, operational problems might occur 1878 when these transformations are applied to payloads intended for 1879 critical applications, such as medical imaging or scientific data 1880 analysis, particularly when integrity checks or digital signatures 1881 are used to ensure that the payload received is identical to the 1882 original. 1884 An HTTP-to-HTTP proxy is called a "transforming proxy" if it is 1885 designed or configured to modify messages in a semantically 1886 meaningful way (i.e., modifications, beyond those required by normal 1887 HTTP processing, that change the message in a way that would be 1888 significant to the original sender or potentially significant to 1889 downstream recipients). For example, a transforming proxy might be 1890 acting as a shared annotation server (modifying responses to include 1891 references to a local annotation database), a malware filter, a 1892 format transcoder, or a privacy filter. Such transformations are 1893 presumed to be desired by whichever client (or client organization) 1894 selected the proxy. 1896 If a proxy receives a request-target with a host name that is not a 1897 fully qualified domain name, it MAY add its own domain to the host 1898 name it received when forwarding the request. A proxy MUST NOT 1899 change the host name if the request-target contains a fully qualified 1900 domain name. 1902 A proxy MUST NOT modify the "absolute-path" and "query" parts of the 1903 received request-target when forwarding it to the next inbound 1904 server, except as noted above to replace an empty path with "/" or 1905 "*". 1907 A proxy MAY modify the message body through application or removal of 1908 a transfer coding (Section 7 of [Messaging]). 1910 A proxy MUST NOT transform the payload (Section 6.3) of a message 1911 that contains a no-transform cache-control response directive 1912 (Section 5.2 of [Caching]). 1914 A proxy MAY transform the payload of a message that does not contain 1915 a no-transform cache-control directive. A proxy that transforms the 1916 payload of a 200 (OK) response can inform downstream recipients that 1917 a transformation has been applied by changing the response status 1918 code to 203 (Non-Authoritative Information) (Section 9.3.4). 1920 A proxy SHOULD NOT modify header fields that provide information 1921 about the endpoints of the communication chain, the resource state, 1922 or the selected representation (other than the payload) unless the 1923 field's definition specifically allows such modification or the 1924 modification is deemed necessary for privacy or security. 1926 6. Representations 1928 Considering that a resource could be anything, and that the uniform 1929 interface provided by HTTP is similar to a window through which one 1930 can observe and act upon such a thing only through the communication 1931 of messages to some independent actor on the other side, an 1932 abstraction is needed to represent ("take the place of") the current 1933 or desired state of that thing in our communications. That 1934 abstraction is called a representation [REST]. 1936 For the purposes of HTTP, a "representation" is information that is 1937 intended to reflect a past, current, or desired state of a given 1938 resource, in a format that can be readily communicated via the 1939 protocol, and that consists of a set of representation metadata and a 1940 potentially unbounded stream of representation data. 1942 An origin server might be provided with, or be capable of generating, 1943 multiple representations that are each intended to reflect the 1944 current state of a target resource. In such cases, some algorithm is 1945 used by the origin server to select one of those representations as 1946 most applicable to a given request, usually based on content 1947 negotiation. This "selected representation" is used to provide the 1948 data and metadata for evaluating conditional requests (Section 8.2) 1949 and constructing the payload for 200 (OK) and 304 (Not Modified) 1950 responses to GET (Section 7.3.1). 1952 6.1. Representation Data 1954 The representation data associated with an HTTP message is either 1955 provided as the payload body of the message or referred to by the 1956 message semantics and the effective request URI. The representation 1957 data is in a format and encoding defined by the representation 1958 metadata header fields. 1960 The data type of the representation data is determined via the header 1961 fields Content-Type and Content-Encoding. These define a two-layer, 1962 ordered encoding model: 1964 representation-data := Content-Encoding( Content-Type( bits ) ) 1966 6.1.1. Media Type 1968 HTTP uses media types [RFC2046] in the Content-Type (Section 6.2.1) 1969 and Accept (Section 8.4.2) header fields in order to provide open and 1970 extensible data typing and type negotiation. Media types define both 1971 a data format and various processing models: how to process that data 1972 in accordance with each context in which it is received. 1974 media-type = type "/" subtype *( OWS ";" OWS parameter ) 1975 type = token 1976 subtype = token 1978 The type and subtype tokens are case-insensitive. 1980 The type/subtype MAY be followed by semicolon-delimited parameters 1981 (Section 4.2.3.4) in the form of name=value pairs. The presence or 1982 absence of a parameter might be significant to the processing of a 1983 media type, depending on its definition within the media type 1984 registry. Parameter values might or might not be case-sensitive, 1985 depending on the semantics of the parameter name. 1987 For example, the following media types are equivalent in describing 1988 HTML text data encoded in the UTF-8 character encoding scheme, but 1989 the first is preferred for consistency (the "charset" parameter value 1990 is defined as being case-insensitive in [RFC2046], Section 4.1.2): 1992 text/html;charset=utf-8 1993 Text/HTML;Charset="utf-8" 1994 text/html; charset="utf-8" 1995 text/html;charset=UTF-8 1997 Media types ought to be registered with IANA according to the 1998 procedures defined in [BCP13]. 2000 6.1.1.1. Charset 2002 HTTP uses charset names to indicate or negotiate the character 2003 encoding scheme of a textual representation [RFC6365]. A charset is 2004 identified by a case-insensitive token. 2006 charset = token 2008 Charset names ought to be registered in the IANA "Character Sets" 2009 registry () 2010 according to the procedures defined in Section 2 of [RFC2978]. 2012 Note: In theory, charset names are defined by the "mime-charset" 2013 ABNF rule defined in Section 2.3 of [RFC2978] (as corrected in 2014 [Err1912]). That rule allows two characters that are not included 2015 in "token" ("{" and "}"), but no charset name registered at the 2016 time of this writing includes braces (see [Err5433]). 2018 6.1.1.2. Canonicalization and Text Defaults 2020 Media types are registered with a canonical form in order to be 2021 interoperable among systems with varying native encoding formats. 2022 Representations selected or transferred via HTTP ought to be in 2023 canonical form, for many of the same reasons described by the 2024 Multipurpose Internet Mail Extensions (MIME) [RFC2045]. However, the 2025 performance characteristics of email deployments (i.e., store and 2026 forward messages to peers) are significantly different from those 2027 common to HTTP and the Web (server-based information services). 2029 Furthermore, MIME's constraints for the sake of compatibility with 2030 older mail transfer protocols do not apply to HTTP (see Appendix B of 2031 [Messaging]). 2033 MIME's canonical form requires that media subtypes of the "text" type 2034 use CRLF as the text line break. HTTP allows the transfer of text 2035 media with plain CR or LF alone representing a line break, when such 2036 line breaks are consistent for an entire representation. An HTTP 2037 sender MAY generate, and a recipient MUST be able to parse, line 2038 breaks in text media that consist of CRLF, bare CR, or bare LF. In 2039 addition, text media in HTTP is not limited to charsets that use 2040 octets 13 and 10 for CR and LF, respectively. This flexibility 2041 regarding line breaks applies only to text within a representation 2042 that has been assigned a "text" media type; it does not apply to 2043 "multipart" types or HTTP elements outside the payload body (e.g., 2044 header fields). 2046 If a representation is encoded with a content-coding, the underlying 2047 data ought to be in a form defined above prior to being encoded. 2049 6.1.1.3. Multipart Types 2051 MIME provides for a number of "multipart" types -- encapsulations of 2052 one or more representations within a single message body. All 2053 multipart types share a common syntax, as defined in Section 5.1.1 of 2054 [RFC2046], and include a boundary parameter as part of the media type 2055 value. The message body is itself a protocol element; a sender MUST 2056 generate only CRLF to represent line breaks between body parts. 2058 HTTP message framing does not use the multipart boundary as an 2059 indicator of message body length, though it might be used by 2060 implementations that generate or process the payload. For example, 2061 the "multipart/form-data" type is often used for carrying form data 2062 in a request, as described in [RFC7578], and the "multipart/ 2063 byteranges" type is defined by this specification for use in some 206 2064 (Partial Content) responses (see Section 9.3.7). 2066 6.1.2. Content Codings 2068 Content coding values indicate an encoding transformation that has 2069 been or can be applied to a representation. Content codings are 2070 primarily used to allow a representation to be compressed or 2071 otherwise usefully transformed without losing the identity of its 2072 underlying media type and without loss of information. Frequently, 2073 the representation is stored in coded form, transmitted directly, and 2074 only decoded by the final recipient. 2076 content-coding = token 2078 Content-coding values are used in the Accept-Encoding (Section 8.4.4) 2079 and Content-Encoding (Section 6.2.2) header fields. 2081 The following content-coding values are defined by this 2082 specification: 2084 +------------+------------------------------------------+-----------+ 2085 | Name | Description | Reference | 2086 +------------+------------------------------------------+-----------+ 2087 | compress | UNIX "compress" data format [Welch] | Section 6 | 2088 | | | .1.2.1 | 2089 | deflate | "deflate" compressed data ([RFC1951]) | Section 6 | 2090 | | inside the "zlib" data format | .1.2.2 | 2091 | | ([RFC1950]) | | 2092 | gzip | GZIP file format [RFC1952] | Section 6 | 2093 | | | .1.2.3 | 2094 | identity | Reserved (synonym for "no encoding" in | Section 8 | 2095 | | Accept-Encoding) | .4.4 | 2096 | x-compress | Deprecated (alias for compress) | Section 6 | 2097 | | | .1.2.1 | 2098 | x-gzip | Deprecated (alias for gzip) | Section 6 | 2099 | | | .1.2.3 | 2100 +------------+------------------------------------------+-----------+ 2102 Table 2 2104 6.1.2.1. Compress Coding 2106 The "compress" coding is an adaptive Lempel-Ziv-Welch (LZW) coding 2107 [Welch] that is commonly produced by the UNIX file compression 2108 program "compress". A recipient SHOULD consider "x-compress" to be 2109 equivalent to "compress". 2111 6.1.2.2. Deflate Coding 2113 The "deflate" coding is a "zlib" data format [RFC1950] containing a 2114 "deflate" compressed data stream [RFC1951] that uses a combination of 2115 the Lempel-Ziv (LZ77) compression algorithm and Huffman coding. 2117 Note: Some non-conformant implementations send the "deflate" 2118 compressed data without the zlib wrapper. 2120 6.1.2.3. Gzip Coding 2122 The "gzip" coding is an LZ77 coding with a 32-bit Cyclic Redundancy 2123 Check (CRC) that is commonly produced by the gzip file compression 2124 program [RFC1952]. A recipient SHOULD consider "x-gzip" to be 2125 equivalent to "gzip". 2127 6.1.2.4. Content Coding Extensibility 2129 Additional content codings, outside the scope of this specification, 2130 have been specified for use in HTTP. All such content codings ought 2131 to be registered within the "HTTP Content Coding Registry". 2133 6.1.2.4.1. Content Coding Registry 2135 The "HTTP Content Coding Registry", maintained by IANA at 2136 , registers 2137 content-coding names. 2139 Content coding registrations MUST include the following fields: 2141 o Name 2143 o Description 2145 o Pointer to specification text 2147 Names of content codings MUST NOT overlap with names of transfer 2148 codings (Section 7 of [Messaging]), unless the encoding 2149 transformation is identical (as is the case for the compression 2150 codings defined in Section 6.1.2). 2152 Values to be added to this namespace require IETF Review (see 2153 Section 4.8 of [RFC8126]) and MUST conform to the purpose of content 2154 coding defined in Section 6.1.2. 2156 6.1.3. Language Tags 2158 A language tag, as defined in [RFC5646], identifies a natural 2159 language spoken, written, or otherwise conveyed by human beings for 2160 communication of information to other human beings. Computer 2161 languages are explicitly excluded. 2163 HTTP uses language tags within the Accept-Language and Content- 2164 Language header fields. Accept-Language uses the broader language- 2165 range production defined in Section 8.4.5, whereas Content-Language 2166 uses the language-tag production defined below. 2168 language-tag = 2170 A language tag is a sequence of one or more case-insensitive subtags, 2171 each separated by a hyphen character ("-", %x2D). In most cases, a 2172 language tag consists of a primary language subtag that identifies a 2173 broad family of related languages (e.g., "en" = English), which is 2174 optionally followed by a series of subtags that refine or narrow that 2175 language's range (e.g., "en-CA" = the variety of English as 2176 communicated in Canada). Whitespace is not allowed within a language 2177 tag. Example tags include: 2179 fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN 2181 See [RFC5646] for further information. 2183 6.1.4. Range Units 2185 Representation data can be partitioned into subranges when there are 2186 addressable structural units inherent to that data's content coding 2187 or media type. For example, octet (a.k.a., byte) boundaries are a 2188 structural unit common to all representation data, allowing 2189 partitions of the data to be identified as a range of bytes at some 2190 offset from the start or end of that data. 2192 This general notion of a "range unit" is used in the Accept-Ranges 2193 (Section 10.4.1) response header field to advertise support for range 2194 requests, the Range (Section 8.3) request header field to delineate 2195 the parts of a representation that are requested, and the Content- 2196 Range (Section 6.3.4) payload header field to describe which part of 2197 a representation is being transferred. 2199 range-unit = token 2201 The following range unit names are defined by this document: 2203 +------------+-----------------------------------------+------------+ 2204 | Range Unit | Description | Reference | 2205 | Name | | | 2206 +------------+-----------------------------------------+------------+ 2207 | bytes | a range of octets | Section 6. | 2208 | | | 1.4.2 | 2209 | none | reserved as keyword to indicate range | Section 10 | 2210 | | requests are not supported | .4.1 | 2211 +------------+-----------------------------------------+------------+ 2213 Table 3 2215 6.1.4.1. Range Specifiers 2217 Ranges are expressed in terms of a range unit paired with a set of 2218 range specifiers. The range unit name determines what kinds of 2219 range-spec are applicable to its own specifiers. Hence, the 2220 following gramar is generic: each range unit is expected to specify 2221 requirements on when int-range, suffix-range, and other-range are 2222 allowed. 2224 A range request can specify a single range or a set of ranges within 2225 a single representation. 2227 ranges-specifier = range-unit "=" range-set 2228 range-set = 1#range-spec 2229 range-spec = int-range 2230 / suffix-range 2231 / other-range 2233 An int-range is a range expressed as two non-negative integers or as 2234 one non-negative integer through to the end of the representation 2235 data. The range unit specifies what the integers mean (e.g., they 2236 might indicate unit offsets from the beginning, inclusive numbered 2237 parts, etc.). 2239 int-range = first-pos "-" [ last-pos ] 2240 first-pos = 1*DIGIT 2241 last-pos = 1*DIGIT 2243 An int-range is invalid if the last-pos value is present and less 2244 than the first-pos. 2246 A suffix-range is a range expressed as a suffix of the representation 2247 data with the provided non-negative integer maximum length (in range 2248 units). In other words, the last N units of the representation data. 2250 suffix-range = "-" suffix-length 2251 suffix-length = 1*DIGIT 2253 To provide for extensibility, the other-range rule is a mostly 2254 unconstrained grammar that allows application-specific or future 2255 range units to define additional range specifiers. 2257 other-range = 1*( %x21-2B / %x2D-7E ) 2258 ; 1*(VCHAR excluding comma) 2260 6.1.4.2. Byte Ranges 2262 The "bytes" range unit is used to express subranges of a 2263 representation data's octet sequence. Each byte range is expressed 2264 as an integer range at some offset, relative to either the beginning 2265 (int-range) or end (suffix-range) of the representation data. Byte 2266 ranges do not use the other-range specifier. 2268 The first-pos value in a bytes int-range gives the offset of the 2269 first byte in a range. The last-pos value gives the offset of the 2270 last byte in the range; that is, the byte positions specified are 2271 inclusive. Byte offsets start at zero. 2273 If the representation data has a content coding applied, each byte 2274 range is calculated with respect to the encoded sequence of bytes, 2275 not the sequence of underlying bytes that would be obtained after 2276 decoding. 2278 Examples of bytes range specifiers: 2280 o The first 500 bytes (byte offsets 0-499, inclusive): 2282 bytes=0-499 2284 o The second 500 bytes (byte offsets 500-999, inclusive): 2286 bytes=500-999 2288 A client can limit the number of bytes requested without knowing the 2289 size of the selected representation. If the last-pos value is 2290 absent, or if the value is greater than or equal to the current 2291 length of the representation data, the byte range is interpreted as 2292 the remainder of the representation (i.e., the server replaces the 2293 value of last-pos with a value that is one less than the current 2294 length of the selected representation). 2296 A client can request the last N bytes of the selected representation 2297 using a suffix-range. If the selected representation is shorter than 2298 the specified suffix-length, the entire representation is used. 2300 Additional examples, assuming a representation of length 10000: 2302 o The final 500 bytes (byte offsets 9500-9999, inclusive): 2304 bytes=-500 2306 Or: 2308 bytes=9500- 2310 o The first and last bytes only (bytes 0 and 9999): 2312 bytes=0-0,-1 2314 o The first, middle, and last 1000 bytes: 2316 bytes= 0-999, 4500-5499, -1000 2318 o Other valid (but not canonical) specifications of the second 500 2319 bytes (byte offsets 500-999, inclusive): 2321 bytes=500-600,601-999 2322 bytes=500-700,601-999 2324 If a valid bytes range-set includes at least one range-spec with a 2325 first-pos that is less than the current length of the representation, 2326 or at least one suffix-range with a non-zero suffix-length, then the 2327 bytes range-set is satisfiable. Otherwise, the bytes range-set is 2328 unsatisfiable. 2330 In the byte-range syntax, first-pos, last-pos, and suffix-length are 2331 expressed as decimal number of octets. Since there is no predefined 2332 limit to the length of a payload, recipients MUST anticipate 2333 potentially large decimal numerals and prevent parsing errors due to 2334 integer conversion overflows. 2336 6.1.4.3. Other Range Units 2338 Other range units, such as format-specific boundaries like pages, 2339 sections, records, rows, or time, are potentially usable in HTTP for 2340 application-specific purposes, but are not commonly used in practice. 2341 Implementors of alternative range units ought to consider how they 2342 would work with content codings and general-purpose intermediaries. 2344 Range units are intended to be extensible. New range units ought to 2345 be registered with IANA, as defined in Section 6.1.4.4. 2347 6.1.4.4. Range Unit Registry 2349 The "HTTP Range Unit Registry" defines the namespace for the range 2350 unit names and refers to their corresponding specifications. It is 2351 maintained at . 2353 Registration of an HTTP Range Unit MUST include the following fields: 2355 o Name 2356 o Description 2358 o Pointer to specification text 2360 Values to be added to this namespace require IETF Review (see 2361 [RFC8126], Section 4.8). 2363 6.2. Representation Metadata 2365 Representation header fields provide metadata about the 2366 representation. When a message includes a payload body, the 2367 representation header fields describe how to interpret the 2368 representation data enclosed in the payload body. In a response to a 2369 HEAD request, the representation header fields describe the 2370 representation data that would have been enclosed in the payload body 2371 if the same request had been a GET. 2373 The following header fields convey representation metadata: 2375 +-------------------+---------------+ 2376 | Header Field Name | Defined in... | 2377 +-------------------+---------------+ 2378 | Content-Type | Section 6.2.1 | 2379 | Content-Encoding | Section 6.2.2 | 2380 | Content-Language | Section 6.2.3 | 2381 | Content-Length | Section 6.2.4 | 2382 | Content-Location | Section 6.2.5 | 2383 +-------------------+---------------+ 2385 6.2.1. Content-Type 2387 The "Content-Type" header field indicates the media type of the 2388 associated representation: either the representation enclosed in the 2389 message payload or the selected representation, as determined by the 2390 message semantics. The indicated media type defines both the data 2391 format and how that data is intended to be processed by a recipient, 2392 within the scope of the received message semantics, after any content 2393 codings indicated by Content-Encoding are decoded. 2395 Content-Type = media-type 2397 Media types are defined in Section 6.1.1. An example of the field is 2399 Content-Type: text/html; charset=ISO-8859-4 2401 A sender that generates a message containing a payload body SHOULD 2402 generate a Content-Type header field in that message unless the 2403 intended media type of the enclosed representation is unknown to the 2404 sender. If a Content-Type header field is not present, the recipient 2405 MAY either assume a media type of "application/octet-stream" 2406 ([RFC2046], Section 4.5.1) or examine the data to determine its type. 2408 In practice, resource owners do not always properly configure their 2409 origin server to provide the correct Content-Type for a given 2410 representation. Some user agents examine a payload's content and, in 2411 certain cases, override the received type (for example, see 2412 [Sniffing]). This "MIME sniffing" risks drawing incorrect 2413 conclusions about the data, which might expose the user to additional 2414 security risks (e.g., "privilege escalation"). Furthermore, it is 2415 impossible to determine the sender's intended processing model by 2416 examining the data format: many data formats match multiple media 2417 types that differ only in processing semantics. Implementers are 2418 encouraged to provide a means to disable such sniffing. 2420 6.2.2. Content-Encoding 2422 The "Content-Encoding" header field indicates what content codings 2423 have been applied to the representation, beyond those inherent in the 2424 media type, and thus what decoding mechanisms have to be applied in 2425 order to obtain data in the media type referenced by the Content-Type 2426 header field. Content-Encoding is primarily used to allow a 2427 representation's data to be compressed without losing the identity of 2428 its underlying media type. 2430 Content-Encoding = 1#content-coding 2432 An example of its use is 2434 Content-Encoding: gzip 2436 If one or more encodings have been applied to a representation, the 2437 sender that applied the encodings MUST generate a Content-Encoding 2438 header field that lists the content codings in the order in which 2439 they were applied. Additional information about the encoding 2440 parameters can be provided by other header fields not defined by this 2441 specification. 2443 Unlike Transfer-Encoding (Section 6.1 of [Messaging]), the codings 2444 listed in Content-Encoding are a characteristic of the 2445 representation; the representation is defined in terms of the coded 2446 form, and all other metadata about the representation is about the 2447 coded form unless otherwise noted in the metadata definition. 2448 Typically, the representation is only decoded just prior to rendering 2449 or analogous usage. 2451 If the media type includes an inherent encoding, such as a data 2452 format that is always compressed, then that encoding would not be 2453 restated in Content-Encoding even if it happens to be the same 2454 algorithm as one of the content codings. Such a content coding would 2455 only be listed if, for some bizarre reason, it is applied a second 2456 time to form the representation. Likewise, an origin server might 2457 choose to publish the same data as multiple representations that 2458 differ only in whether the coding is defined as part of Content-Type 2459 or Content-Encoding, since some user agents will behave differently 2460 in their handling of each response (e.g., open a "Save as ..." dialog 2461 instead of automatic decompression and rendering of content). 2463 An origin server MAY respond with a status code of 415 (Unsupported 2464 Media Type) if a representation in the request message has a content 2465 coding that is not acceptable. 2467 6.2.3. Content-Language 2469 The "Content-Language" header field describes the natural language(s) 2470 of the intended audience for the representation. Note that this 2471 might not be equivalent to all the languages used within the 2472 representation. 2474 Content-Language = 1#language-tag 2476 Language tags are defined in Section 6.1.3. The primary purpose of 2477 Content-Language is to allow a user to identify and differentiate 2478 representations according to the users' own preferred language. 2479 Thus, if the content is intended only for a Danish-literate audience, 2480 the appropriate field is 2482 Content-Language: da 2484 If no Content-Language is specified, the default is that the content 2485 is intended for all language audiences. This might mean that the 2486 sender does not consider it to be specific to any natural language, 2487 or that the sender does not know for which language it is intended. 2489 Multiple languages MAY be listed for content that is intended for 2490 multiple audiences. For example, a rendition of the "Treaty of 2491 Waitangi", presented simultaneously in the original Maori and English 2492 versions, would call for 2494 Content-Language: mi, en 2496 However, just because multiple languages are present within a 2497 representation does not mean that it is intended for multiple 2498 linguistic audiences. An example would be a beginner's language 2499 primer, such as "A First Lesson in Latin", which is clearly intended 2500 to be used by an English-literate audience. In this case, the 2501 Content-Language would properly only include "en". 2503 Content-Language MAY be applied to any media type -- it is not 2504 limited to textual documents. 2506 6.2.4. Content-Length 2508 [[CREF2: The "Content-Length" header field indicates the number of 2509 data octets (body length) for the representation. In some cases, 2510 Content-Length is used to define or estimate message framing. ]] 2512 Content-Length = 1*DIGIT 2514 An example is 2516 Content-Length: 3495 2518 A sender MUST NOT send a Content-Length header field in any message 2519 that contains a Transfer-Encoding header field. 2521 A user agent SHOULD send a Content-Length in a request message when 2522 no Transfer-Encoding is sent and the request method defines a meaning 2523 for an enclosed payload body. For example, a Content-Length header 2524 field is normally sent in a POST request even when the value is 0 2525 (indicating an empty payload body). A user agent SHOULD NOT send a 2526 Content-Length header field when the request message does not contain 2527 a payload body and the method semantics do not anticipate such a 2528 body. 2530 A server MAY send a Content-Length header field in a response to a 2531 HEAD request (Section 7.3.2); a server MUST NOT send Content-Length 2532 in such a response unless its field-value equals the decimal number 2533 of octets that would have been sent in the payload body of a response 2534 if the same request had used the GET method. 2536 A server MAY send a Content-Length header field in a 304 (Not 2537 Modified) response to a conditional GET request (Section 9.4.5); a 2538 server MUST NOT send Content-Length in such a response unless its 2539 field-value equals the decimal number of octets that would have been 2540 sent in the payload body of a 200 (OK) response to the same request. 2542 A server MUST NOT send a Content-Length header field in any response 2543 with a status code of 1xx (Informational) or 204 (No Content). A 2544 server MUST NOT send a Content-Length header field in any 2xx 2545 (Successful) response to a CONNECT request (Section 7.3.6). 2547 Aside from the cases defined above, in the absence of Transfer- 2548 Encoding, an origin server SHOULD send a Content-Length header field 2549 when the payload body size is known prior to sending the complete 2550 header section. This will allow downstream recipients to measure 2551 transfer progress, know when a received message is complete, and 2552 potentially reuse the connection for additional requests. 2554 Any Content-Length field value greater than or equal to zero is 2555 valid. Since there is no predefined limit to the length of a 2556 payload, a recipient MUST anticipate potentially large decimal 2557 numerals and prevent parsing errors due to integer conversion 2558 overflows (Section 13.5). 2560 If a message is received that has multiple Content-Length header 2561 fields with field-values consisting of the same decimal value, or a 2562 single Content-Length header field with a field value containing a 2563 list of identical decimal values (e.g., "Content-Length: 42, 42"), 2564 indicating that duplicate Content-Length header fields have been 2565 generated or combined by an upstream message processor, then the 2566 recipient MUST either reject the message as invalid or replace the 2567 duplicated field-values with a single valid Content-Length field 2568 containing that decimal value prior to determining the message body 2569 length or forwarding the message. 2571 6.2.5. Content-Location 2573 The "Content-Location" header field references a URI that can be used 2574 as an identifier for a specific resource corresponding to the 2575 representation in this message's payload. In other words, if one 2576 were to perform a GET request on this URI at the time of this 2577 message's generation, then a 200 (OK) response would contain the same 2578 representation that is enclosed as payload in this message. 2580 Content-Location = absolute-URI / partial-URI 2582 The Content-Location value is not a replacement for the effective 2583 Request URI (Section 5.3). It is representation metadata. It has 2584 the same syntax and semantics as the header field of the same name 2585 defined for MIME body parts in Section 4 of [RFC2557]. However, its 2586 appearance in an HTTP message has some special implications for HTTP 2587 recipients. 2589 If Content-Location is included in a 2xx (Successful) response 2590 message and its value refers (after conversion to absolute form) to a 2591 URI that is the same as the effective request URI, then the recipient 2592 MAY consider the payload to be a current representation of that 2593 resource at the time indicated by the message origination date. For 2594 a GET (Section 7.3.1) or HEAD (Section 7.3.2) request, this is the 2595 same as the default semantics when no Content-Location is provided by 2596 the server. For a state-changing request like PUT (Section 7.3.4) or 2597 POST (Section 7.3.3), it implies that the server's response contains 2598 the new representation of that resource, thereby distinguishing it 2599 from representations that might only report about the action (e.g., 2600 "It worked!"). This allows authoring applications to update their 2601 local copies without the need for a subsequent GET request. 2603 If Content-Location is included in a 2xx (Successful) response 2604 message and its field-value refers to a URI that differs from the 2605 effective request URI, then the origin server claims that the URI is 2606 an identifier for a different resource corresponding to the enclosed 2607 representation. Such a claim can only be trusted if both identifiers 2608 share the same resource owner, which cannot be programmatically 2609 determined via HTTP. 2611 o For a response to a GET or HEAD request, this is an indication 2612 that the effective request URI refers to a resource that is 2613 subject to content negotiation and the Content-Location field- 2614 value is a more specific identifier for the selected 2615 representation. 2617 o For a 201 (Created) response to a state-changing method, a 2618 Content-Location field-value that is identical to the Location 2619 field-value indicates that this payload is a current 2620 representation of the newly created resource. 2622 o Otherwise, such a Content-Location indicates that this payload is 2623 a representation reporting on the requested action's status and 2624 that the same report is available (for future access with GET) at 2625 the given URI. For example, a purchase transaction made via a 2626 POST request might include a receipt document as the payload of 2627 the 200 (OK) response; the Content-Location field-value provides 2628 an identifier for retrieving a copy of that same receipt in the 2629 future. 2631 A user agent that sends Content-Location in a request message is 2632 stating that its value refers to where the user agent originally 2633 obtained the content of the enclosed representation (prior to any 2634 modifications made by that user agent). In other words, the user 2635 agent is providing a back link to the source of the original 2636 representation. 2638 An origin server that receives a Content-Location field in a request 2639 message MUST treat the information as transitory request context 2640 rather than as metadata to be saved verbatim as part of the 2641 representation. An origin server MAY use that context to guide in 2642 processing the request or to save it for other uses, such as within 2643 source links or versioning metadata. However, an origin server MUST 2644 NOT use such context information to alter the request semantics. 2646 For example, if a client makes a PUT request on a negotiated resource 2647 and the origin server accepts that PUT (without redirection), then 2648 the new state of that resource is expected to be consistent with the 2649 one representation supplied in that PUT; the Content-Location cannot 2650 be used as a form of reverse content selection identifier to update 2651 only one of the negotiated representations. If the user agent had 2652 wanted the latter semantics, it would have applied the PUT directly 2653 to the Content-Location URI. 2655 6.3. Payload 2657 Some HTTP messages transfer a complete or partial representation as 2658 the message "payload". In some cases, a payload might contain only 2659 the associated representation's header fields (e.g., responses to 2660 HEAD) or only some part(s) of the representation data (e.g., the 206 2661 (Partial Content) status code). 2663 Header fields that specifically describe the payload, rather than the 2664 associated representation, are referred to as "payload header 2665 fields". Payload header fields are defined in other parts of this 2666 specification, due to their impact on message parsing. 2668 +-------------------+----------------------------+ 2669 | Header Field Name | Defined in... | 2670 +-------------------+----------------------------+ 2671 | Content-Range | Section 6.3.4 | 2672 | Trailer | Section 4.3.3 | 2673 | Transfer-Encoding | Section 6.1 of [Messaging] | 2674 +-------------------+----------------------------+ 2676 6.3.1. Purpose 2678 The purpose of a payload in a request is defined by the method 2679 semantics. For example, a representation in the payload of a PUT 2680 request (Section 7.3.4) represents the desired state of the target 2681 resource if the request is successfully applied, whereas a 2682 representation in the payload of a POST request (Section 7.3.3) 2683 represents information to be processed by the target resource. 2685 In a response, the payload's purpose is defined by both the request 2686 method and the response status code. For example, the payload of a 2687 200 (OK) response to GET (Section 7.3.1) represents the current state 2688 of the target resource, as observed at the time of the message 2689 origination date (Section 10.1.1.2), whereas the payload of the same 2690 status code in a response to POST might represent either the 2691 processing result or the new state of the target resource after 2692 applying the processing. Response messages with an error status code 2693 usually contain a payload that represents the error condition, such 2694 that it describes the error state and what next steps are suggested 2695 for resolving it. 2697 6.3.2. Identification 2699 When a complete or partial representation is transferred in a message 2700 payload, it is often desirable for the sender to supply, or the 2701 recipient to determine, an identifier for a resource corresponding to 2702 that representation. 2704 For a request message: 2706 o If the request has a Content-Location header field, then the 2707 sender asserts that the payload is a representation of the 2708 resource identified by the Content-Location field-value. However, 2709 such an assertion cannot be trusted unless it can be verified by 2710 other means (not defined by this specification). The information 2711 might still be useful for revision history links. 2713 o Otherwise, the payload is unidentified. 2715 For a response message, the following rules are applied in order 2716 until a match is found: 2718 1. If the request method is GET or HEAD and the response status code 2719 is 200 (OK), 204 (No Content), 206 (Partial Content), or 304 (Not 2720 Modified), the payload is a representation of the resource 2721 identified by the effective request URI (Section 5.3). 2723 2. If the request method is GET or HEAD and the response status code 2724 is 203 (Non-Authoritative Information), the payload is a 2725 potentially modified or enhanced representation of the target 2726 resource as provided by an intermediary. 2728 3. If the response has a Content-Location header field and its 2729 field-value is a reference to the same URI as the effective 2730 request URI, the payload is a representation of the resource 2731 identified by the effective request URI. 2733 4. If the response has a Content-Location header field and its 2734 field-value is a reference to a URI different from the effective 2735 request URI, then the sender asserts that the payload is a 2736 representation of the resource identified by the Content-Location 2737 field-value. However, such an assertion cannot be trusted unless 2738 it can be verified by other means (not defined by this 2739 specification). 2741 5. Otherwise, the payload is unidentified. 2743 6.3.3. Payload Body 2745 The payload body contains the data of a request or response. This is 2746 distinct from the message body (e.g., Section 6 of [Messaging]), 2747 which is how the payload body is transferred "on the wire", and might 2748 be encoded, depending on the HTTP version in use. 2750 It is also distinct from a request or response's representation data 2751 (Section 6.1), which can be inferred from protocol operation, rather 2752 than necessarily appearing "on the wire." 2754 The presence of a payload body in a request depends on whether the 2755 request method used defines semantics for it. 2757 The presence of a payload body in a response depends on both the 2758 request method to which it is responding and the response status code 2759 (Section 9). 2761 Responses to the HEAD request method (Section 7.3.2) never include a 2762 payload body because the associated response header fields indicate 2763 only what their values would have been if the request method had been 2764 GET (Section 7.3.1). 2766 2xx (Successful) responses to a CONNECT request method 2767 (Section 7.3.6) switch the connection to tunnel mode instead of 2768 having a payload body. 2770 All 1xx (Informational), 204 (No Content), and 304 (Not Modified) 2771 responses do not include a payload body. 2773 All other responses do include a payload body, although that body 2774 might be of zero length. 2776 6.3.4. Content-Range 2778 The "Content-Range" header field is sent in a single part 206 2779 (Partial Content) response to indicate the partial range of the 2780 selected representation enclosed as the message payload, sent in each 2781 part of a multipart 206 response to indicate the range enclosed 2782 within each body part, and sent in 416 (Range Not Satisfiable) 2783 responses to provide information about the selected representation. 2785 Content-Range = range-unit SP 2786 ( range-resp / unsatisfied-range ) 2788 range-resp = incl-range "/" ( complete-length / "*" ) 2789 incl-range = first-pos "-" last-pos 2790 unsatisfied-range = "*/" complete-length 2792 complete-length = 1*DIGIT 2794 If a 206 (Partial Content) response contains a Content-Range header 2795 field with a range unit (Section 6.1.4) that the recipient does not 2796 understand, the recipient MUST NOT attempt to recombine it with a 2797 stored representation. A proxy that receives such a message SHOULD 2798 forward it downstream. 2800 For byte ranges, a sender SHOULD indicate the complete length of the 2801 representation from which the range has been extracted, unless the 2802 complete length is unknown or difficult to determine. An asterisk 2803 character ("*") in place of the complete-length indicates that the 2804 representation length was unknown when the header field was 2805 generated. 2807 The following example illustrates when the complete length of the 2808 selected representation is known by the sender to be 1234 bytes: 2810 Content-Range: bytes 42-1233/1234 2812 and this second example illustrates when the complete length is 2813 unknown: 2815 Content-Range: bytes 42-1233/* 2817 A Content-Range field value is invalid if it contains a range-resp 2818 that has a last-pos value less than its first-pos value, or a 2819 complete-length value less than or equal to its last-pos value. The 2820 recipient of an invalid Content-Range MUST NOT attempt to recombine 2821 the received content with a stored representation. 2823 A server generating a 416 (Range Not Satisfiable) response to a byte- 2824 range request SHOULD send a Content-Range header field with an 2825 unsatisfied-range value, as in the following example: 2827 Content-Range: bytes */1234 2829 The complete-length in a 416 response indicates the current length of 2830 the selected representation. 2832 The Content-Range header field has no meaning for status codes that 2833 do not explicitly describe its semantic. For this specification, 2834 only the 206 (Partial Content) and 416 (Range Not Satisfiable) status 2835 codes describe a meaning for Content-Range. 2837 The following are examples of Content-Range values in which the 2838 selected representation contains a total of 1234 bytes: 2840 o The first 500 bytes: 2842 Content-Range: bytes 0-499/1234 2844 o The second 500 bytes: 2846 Content-Range: bytes 500-999/1234 2848 o All except for the first 500 bytes: 2850 Content-Range: bytes 500-1233/1234 2852 o The last 500 bytes: 2854 Content-Range: bytes 734-1233/1234 2856 6.3.5. Media Type multipart/byteranges 2858 When a 206 (Partial Content) response message includes the content of 2859 multiple ranges, they are transmitted as body parts in a multipart 2860 message body ([RFC2046], Section 5.1) with the media type of 2861 "multipart/byteranges". 2863 The multipart/byteranges media type includes one or more body parts, 2864 each with its own Content-Type and Content-Range fields. The 2865 required boundary parameter specifies the boundary string used to 2866 separate each body part. 2868 Implementation Notes: 2870 1. Additional CRLFs might precede the first boundary string in the 2871 body. 2873 2. Although [RFC2046] permits the boundary string to be quoted, some 2874 existing implementations handle a quoted boundary string 2875 incorrectly. 2877 3. A number of clients and servers were coded to an early draft of 2878 the byteranges specification that used a media type of multipart/ 2879 x-byteranges, which is almost (but not quite) compatible with 2880 this type. 2882 Despite the name, the "multipart/byteranges" media type is not 2883 limited to byte ranges. The following example uses an "exampleunit" 2884 range unit: 2886 HTTP/1.1 206 Partial Content 2887 Date: Tue, 14 Nov 1995 06:25:24 GMT 2888 Last-Modified: Tue, 14 July 04:58:08 GMT 2889 Content-Length: 2331785 2890 Content-Type: multipart/byteranges; boundary=THIS_STRING_SEPARATES 2892 --THIS_STRING_SEPARATES 2893 Content-Type: video/example 2894 Content-Range: exampleunit 1.2-4.3/25 2896 ...the first range... 2897 --THIS_STRING_SEPARATES 2898 Content-Type: video/example 2899 Content-Range: exampleunit 11.2-14.3/25 2901 ...the second range 2902 --THIS_STRING_SEPARATES-- 2904 The following information serves as the registration form for the 2905 multipart/byteranges media type. 2907 Type name: multipart 2909 Subtype name: byteranges 2911 Required parameters: boundary 2913 Optional parameters: N/A 2915 Encoding considerations: only "7bit", "8bit", or "binary" are 2916 permitted 2918 Security considerations: see Section 13 2920 Interoperability considerations: N/A 2921 Published specification: This specification (see Section 6.3.5). 2923 Applications that use this media type: HTTP components supporting 2924 multiple ranges in a single request. 2926 Fragment identifier considerations: N/A 2928 Additional information: 2930 Deprecated alias names for this type: N/A 2932 Magic number(s): N/A 2934 File extension(s): N/A 2936 Macintosh file type code(s): N/A 2938 Person and email address to contact for further information: See Aut 2939 hors' Addresses section. 2941 Intended usage: COMMON 2943 Restrictions on usage: N/A 2945 Author: See Authors' Addresses section. 2947 Change controller: IESG 2949 6.4. Content Negotiation 2951 When responses convey payload information, whether indicating a 2952 success or an error, the origin server often has different ways of 2953 representing that information; for example, in different formats, 2954 languages, or encodings. Likewise, different users or user agents 2955 might have differing capabilities, characteristics, or preferences 2956 that could influence which representation, among those available, 2957 would be best to deliver. For this reason, HTTP provides mechanisms 2958 for content negotiation. 2960 This specification defines two patterns of content negotiation that 2961 can be made visible within the protocol: "proactive", where the 2962 server selects the representation based upon the user agent's stated 2963 preferences, and "reactive" negotiation, where the server provides a 2964 list of representations for the user agent to choose from. Other 2965 patterns of content negotiation include "conditional content", where 2966 the representation consists of multiple parts that are selectively 2967 rendered based on user agent parameters, "active content", where the 2968 representation contains a script that makes additional (more 2969 specific) requests based on the user agent characteristics, and 2970 "Transparent Content Negotiation" ([RFC2295]), where content 2971 selection is performed by an intermediary. These patterns are not 2972 mutually exclusive, and each has trade-offs in applicability and 2973 practicality. 2975 Note that, in all cases, HTTP is not aware of the resource semantics. 2976 The consistency with which an origin server responds to requests, 2977 over time and over the varying dimensions of content negotiation, and 2978 thus the "sameness" of a resource's observed representations over 2979 time, is determined entirely by whatever entity or algorithm selects 2980 or generates those responses. HTTP pays no attention to the man 2981 behind the curtain. 2983 6.4.1. Proactive Negotiation 2985 When content negotiation preferences are sent by the user agent in a 2986 request to encourage an algorithm located at the server to select the 2987 preferred representation, it is called proactive negotiation (a.k.a., 2988 server-driven negotiation). Selection is based on the available 2989 representations for a response (the dimensions over which it might 2990 vary, such as language, content-coding, etc.) compared to various 2991 information supplied in the request, including both the explicit 2992 negotiation fields of Section 8.4 and implicit characteristics, such 2993 as the client's network address or parts of the User-Agent field. 2995 Proactive negotiation is advantageous when the algorithm for 2996 selecting from among the available representations is difficult to 2997 describe to a user agent, or when the server desires to send its 2998 "best guess" to the user agent along with the first response (hoping 2999 to avoid the round trip delay of a subsequent request if the "best 3000 guess" is good enough for the user). In order to improve the 3001 server's guess, a user agent MAY send request header fields that 3002 describe its preferences. 3004 Proactive negotiation has serious disadvantages: 3006 o It is impossible for the server to accurately determine what might 3007 be "best" for any given user, since that would require complete 3008 knowledge of both the capabilities of the user agent and the 3009 intended use for the response (e.g., does the user want to view it 3010 on screen or print it on paper?); 3012 o Having the user agent describe its capabilities in every request 3013 can be both very inefficient (given that only a small percentage 3014 of responses have multiple representations) and a potential risk 3015 to the user's privacy; 3017 o It complicates the implementation of an origin server and the 3018 algorithms for generating responses to a request; and, 3020 o It limits the reusability of responses for shared caching. 3022 A user agent cannot rely on proactive negotiation preferences being 3023 consistently honored, since the origin server might not implement 3024 proactive negotiation for the requested resource or might decide that 3025 sending a response that doesn't conform to the user agent's 3026 preferences is better than sending a 406 (Not Acceptable) response. 3028 A Vary header field (Section 10.1.4) is often sent in a response 3029 subject to proactive negotiation to indicate what parts of the 3030 request information were used in the selection algorithm. 3032 6.4.2. Reactive Negotiation 3034 With reactive negotiation (a.k.a., agent-driven negotiation), 3035 selection of the best response representation (regardless of the 3036 status code) is performed by the user agent after receiving an 3037 initial response from the origin server that contains a list of 3038 resources for alternative representations. If the user agent is not 3039 satisfied by the initial response representation, it can perform a 3040 GET request on one or more of the alternative resources, selected 3041 based on metadata included in the list, to obtain a different form of 3042 representation for that response. Selection of alternatives might be 3043 performed automatically by the user agent or manually by the user 3044 selecting from a generated (possibly hypertext) menu. 3046 Note that the above refers to representations of the response, in 3047 general, not representations of the resource. The alternative 3048 representations are only considered representations of the target 3049 resource if the response in which those alternatives are provided has 3050 the semantics of being a representation of the target resource (e.g., 3051 a 200 (OK) response to a GET request) or has the semantics of 3052 providing links to alternative representations for the target 3053 resource (e.g., a 300 (Multiple Choices) response to a GET request). 3055 A server might choose not to send an initial representation, other 3056 than the list of alternatives, and thereby indicate that reactive 3057 negotiation by the user agent is preferred. For example, the 3058 alternatives listed in responses with the 300 (Multiple Choices) and 3059 406 (Not Acceptable) status codes include information about the 3060 available representations so that the user or user agent can react by 3061 making a selection. 3063 Reactive negotiation is advantageous when the response would vary 3064 over commonly used dimensions (such as type, language, or encoding), 3065 when the origin server is unable to determine a user agent's 3066 capabilities from examining the request, and generally when public 3067 caches are used to distribute server load and reduce network usage. 3069 Reactive negotiation suffers from the disadvantages of transmitting a 3070 list of alternatives to the user agent, which degrades user-perceived 3071 latency if transmitted in the header section, and needing a second 3072 request to obtain an alternate representation. Furthermore, this 3073 specification does not define a mechanism for supporting automatic 3074 selection, though it does not prevent such a mechanism from being 3075 developed as an extension. 3077 7. Request Methods 3079 7.1. Overview 3081 The request method token is the primary source of request semantics; 3082 it indicates the purpose for which the client has made this request 3083 and what is expected by the client as a successful result. 3085 The request method's semantics might be further specialized by the 3086 semantics of some header fields when present in a request (Section 8) 3087 if those additional semantics do not conflict with the method. For 3088 example, a client can send conditional request header fields 3089 (Section 8.2) to make the requested action conditional on the current 3090 state of the target resource. 3092 method = token 3094 HTTP was originally designed to be usable as an interface to 3095 distributed object systems. The request method was envisioned as 3096 applying semantics to a target resource in much the same way as 3097 invoking a defined method on an identified object would apply 3098 semantics. 3100 The method token is case-sensitive because it might be used as a 3101 gateway to object-based systems with case-sensitive method names. By 3102 convention, standardized methods are defined in all-uppercase US- 3103 ASCII letters. 3105 Unlike distributed objects, the standardized request methods in HTTP 3106 are not resource-specific, since uniform interfaces provide for 3107 better visibility and reuse in network-based systems [REST]. Once 3108 defined, a standardized method ought to have the same semantics when 3109 applied to any resource, though each resource determines for itself 3110 whether those semantics are implemented or allowed. 3112 This specification defines a number of standardized methods that are 3113 commonly used in HTTP, as outlined by the following table. 3115 +---------+-------------------------------------------------+-------+ 3116 | Method | Description | Sec. | 3117 +---------+-------------------------------------------------+-------+ 3118 | GET | Transfer a current representation of the target | 7.3.1 | 3119 | | resource. | | 3120 | HEAD | Same as GET, but only transfer the status line | 7.3.2 | 3121 | | and header section. | | 3122 | POST | Perform resource-specific processing on the | 7.3.3 | 3123 | | request payload. | | 3124 | PUT | Replace all current representations of the | 7.3.4 | 3125 | | target resource with the request payload. | | 3126 | DELETE | Remove all current representations of the | 7.3.5 | 3127 | | target resource. | | 3128 | CONNECT | Establish a tunnel to the server identified by | 7.3.6 | 3129 | | the target resource. | | 3130 | OPTIONS | Describe the communication options for the | 7.3.7 | 3131 | | target resource. | | 3132 | TRACE | Perform a message loop-back test along the path | 7.3.8 | 3133 | | to the target resource. | | 3134 +---------+-------------------------------------------------+-------+ 3136 Table 4 3138 All general-purpose servers MUST support the methods GET and HEAD. 3139 All other methods are OPTIONAL. 3141 The set of methods allowed by a target resource can be listed in an 3142 Allow header field (Section 10.4.2). However, the set of allowed 3143 methods can change dynamically. When a request method is received 3144 that is unrecognized or not implemented by an origin server, the 3145 origin server SHOULD respond with the 501 (Not Implemented) status 3146 code. When a request method is received that is known by an origin 3147 server but not allowed for the target resource, the origin server 3148 SHOULD respond with the 405 (Method Not Allowed) status code. 3150 7.2. Common Method Properties 3151 +---------+------+------------+----------------+ 3152 | Method | Safe | Idempotent | Reference | 3153 +---------+------+------------+----------------+ 3154 | CONNECT | no | no | Section 7.3.6 | 3155 | DELETE | no | yes | Section 7.3.5 | 3156 | GET | yes | yes | Section 7.3.1 | 3157 | HEAD | yes | yes | Section 7.3.2 | 3158 | OPTIONS | yes | yes | Section 7.3.7 | 3159 | POST | no | no | Section 7.3.3 | 3160 | PUT | no | yes | Section 7.3.4 | 3161 | TRACE | yes | yes | Section 7.3.8 | 3162 +---------+------+------------+----------------+ 3164 Table 5 3166 7.2.1. Safe Methods 3168 Request methods are considered "safe" if their defined semantics are 3169 essentially read-only; i.e., the client does not request, and does 3170 not expect, any state change on the origin server as a result of 3171 applying a safe method to a target resource. Likewise, reasonable 3172 use of a safe method is not expected to cause any harm, loss of 3173 property, or unusual burden on the origin server. 3175 This definition of safe methods does not prevent an implementation 3176 from including behavior that is potentially harmful, that is not 3177 entirely read-only, or that causes side effects while invoking a safe 3178 method. What is important, however, is that the client did not 3179 request that additional behavior and cannot be held accountable for 3180 it. For example, most servers append request information to access 3181 log files at the completion of every response, regardless of the 3182 method, and that is considered safe even though the log storage might 3183 become full and crash the server. Likewise, a safe request initiated 3184 by selecting an advertisement on the Web will often have the side 3185 effect of charging an advertising account. 3187 Of the request methods defined by this specification, the GET, HEAD, 3188 OPTIONS, and TRACE methods are defined to be safe. 3190 The purpose of distinguishing between safe and unsafe methods is to 3191 allow automated retrieval processes (spiders) and cache performance 3192 optimization (pre-fetching) to work without fear of causing harm. In 3193 addition, it allows a user agent to apply appropriate constraints on 3194 the automated use of unsafe methods when processing potentially 3195 untrusted content. 3197 A user agent SHOULD distinguish between safe and unsafe methods when 3198 presenting potential actions to a user, such that the user can be 3199 made aware of an unsafe action before it is requested. 3201 When a resource is constructed such that parameters within the 3202 effective request URI have the effect of selecting an action, it is 3203 the resource owner's responsibility to ensure that the action is 3204 consistent with the request method semantics. For example, it is 3205 common for Web-based content editing software to use actions within 3206 query parameters, such as "page?do=delete". If the purpose of such a 3207 resource is to perform an unsafe action, then the resource owner MUST 3208 disable or disallow that action when it is accessed using a safe 3209 request method. Failure to do so will result in unfortunate side 3210 effects when automated processes perform a GET on every URI reference 3211 for the sake of link maintenance, pre-fetching, building a search 3212 index, etc. 3214 7.2.2. Idempotent Methods 3216 A request method is considered "idempotent" if the intended effect on 3217 the server of multiple identical requests with that method is the 3218 same as the effect for a single such request. Of the request methods 3219 defined by this specification, PUT, DELETE, and safe request methods 3220 are idempotent. 3222 Like the definition of safe, the idempotent property only applies to 3223 what has been requested by the user; a server is free to log each 3224 request separately, retain a revision control history, or implement 3225 other non-idempotent side effects for each idempotent request. 3227 Idempotent methods are distinguished because the request can be 3228 repeated automatically if a communication failure occurs before the 3229 client is able to read the server's response. For example, if a 3230 client sends a PUT request and the underlying connection is closed 3231 before any response is received, then the client can establish a new 3232 connection and retry the idempotent request. It knows that repeating 3233 the request will have the same intended effect, even if the original 3234 request succeeded, though the response might differ. 3236 A client SHOULD NOT automatically retry a request with a non- 3237 idempotent method unless it has some means to know that the request 3238 semantics are actually idempotent, regardless of the method, or some 3239 means to detect that the original request was never applied. 3241 For example, a user agent that knows (through design or 3242 configuration) that a POST request to a given resource is safe can 3243 repeat that request automatically. Likewise, a user agent designed 3244 specifically to operate on a version control repository might be able 3245 to recover from partial failure conditions by checking the target 3246 resource revision(s) after a failed connection, reverting or fixing 3247 any changes that were partially applied, and then automatically 3248 retrying the requests that failed. 3250 Some clients use weaker signals to initiate automatic retries. For 3251 example, when a POST request is sent, but the underlying transport 3252 connection is closed before any part of the response is received. 3253 Although this is commonly implemented, it is not recommended. 3255 A proxy MUST NOT automatically retry non-idempotent requests. A 3256 client SHOULD NOT automatically retry a failed automatic retry. 3258 7.2.3. Methods and Caching 3260 For a cache to store and use a response, the associated method needs 3261 to explicitly allow caching, and detail under what conditions a 3262 response can be used to satisfy subsequent requests; a method 3263 definition which does not do so cannot be cached. For additional 3264 requirements see [Caching]. 3266 This specification defines caching semantics for GET, HEAD, and POST, 3267 although the overwhelming majority of cache implementations only 3268 support GET and HEAD. 3270 7.3. Method Definitions 3272 7.3.1. GET 3274 The GET method requests transfer of a current selected representation 3275 for the target resource. GET is the primary mechanism of information 3276 retrieval and the focus of almost all performance optimizations. 3277 Hence, when people speak of retrieving some identifiable information 3278 via HTTP, they are generally referring to making a GET request. 3280 It is tempting to think of resource identifiers as remote file system 3281 pathnames and of representations as being a copy of the contents of 3282 such files. In fact, that is how many resources are implemented (see 3283 Section 13.3 for related security considerations). However, there 3284 are no such limitations in practice. The HTTP interface for a 3285 resource is just as likely to be implemented as a tree of content 3286 objects, a programmatic view on various database records, or a 3287 gateway to other information systems. Even when the URI mapping 3288 mechanism is tied to a file system, an origin server might be 3289 configured to execute the files with the request as input and send 3290 the output as the representation rather than transfer the files 3291 directly. Regardless, only the origin server needs to know how each 3292 of its resource identifiers corresponds to an implementation and how 3293 each implementation manages to select and send a current 3294 representation of the target resource in a response to GET. 3296 A client can alter the semantics of GET to be a "range request", 3297 requesting transfer of only some part(s) of the selected 3298 representation, by sending a Range header field in the request 3299 (Section 8.3). 3301 The GET method is specifically intended to reflect the quality of 3302 "sameness" identified by the request URI as if it were referenced as 3303 an ordinary hypertext link. A client SHOULD NOT generate a body in a 3304 GET request. A payload received in a GET request has no defined 3305 semantics, cannot alter the meaning or target of the request, and 3306 might lead some implementations to reject the request and close the 3307 connection because of its potential as a request smuggling attack 3308 (Section 11.2 of [Messaging]). 3310 The response to a GET request is cacheable; a cache MAY use it to 3311 satisfy subsequent GET and HEAD requests unless otherwise indicated 3312 by the Cache-Control header field (Section 5.2 of [Caching]). A 3313 cache that receives a payload in a GET request is likely to ignore 3314 that payload and cache regardless of the payload contents. 3316 7.3.2. HEAD 3318 The HEAD method is identical to GET except that the server MUST NOT 3319 send a message body in the response (i.e., the response terminates at 3320 the end of the header section). The server SHOULD send the same 3321 header fields in response to a HEAD request as it would have sent if 3322 the request had been a GET, except that the payload header fields 3323 (Section 6.3) MAY be omitted. This method can be used for obtaining 3324 metadata about the selected representation without transferring the 3325 representation data and is often used for testing hypertext links for 3326 validity, accessibility, and recent modification. 3328 A payload within a HEAD request message has no defined semantics; 3329 sending a payload body on a HEAD request might cause some existing 3330 implementations to reject the request. 3332 The response to a HEAD request is cacheable; a cache MAY use it to 3333 satisfy subsequent HEAD requests unless otherwise indicated by the 3334 Cache-Control header field (Section 5.2 of [Caching]). A HEAD 3335 response might also have an effect on previously cached responses to 3336 GET; see Section 4.3.5 of [Caching]. 3338 7.3.3. POST 3340 The POST method requests that the target resource process the 3341 representation enclosed in the request according to the resource's 3342 own specific semantics. For example, POST is used for the following 3343 functions (among others): 3345 o Providing a block of data, such as the fields entered into an HTML 3346 form, to a data-handling process; 3348 o Posting a message to a bulletin board, newsgroup, mailing list, 3349 blog, or similar group of articles; 3351 o Creating a new resource that has yet to be identified by the 3352 origin server; and 3354 o Appending data to a resource's existing representation(s). 3356 An origin server indicates response semantics by choosing an 3357 appropriate status code depending on the result of processing the 3358 POST request; almost all of the status codes defined by this 3359 specification might be received in a response to POST (the exceptions 3360 being 206 (Partial Content), 304 (Not Modified), and 416 (Range Not 3361 Satisfiable)). 3363 If one or more resources has been created on the origin server as a 3364 result of successfully processing a POST request, the origin server 3365 SHOULD send a 201 (Created) response containing a Location header 3366 field that provides an identifier for the primary resource created 3367 (Section 10.1.2) and a representation that describes the status of 3368 the request while referring to the new resource(s). 3370 Responses to POST requests are only cacheable when they include 3371 explicit freshness information (see Section 4.2.1 of [Caching]) and a 3372 Content-Location header field that has the same value as the POST's 3373 effective request URI (Section 6.2.5). A cached POST response can be 3374 reused to satisfy a later GET or HEAD request, but not a POST 3375 request, since POST is required to be written through to the origin 3376 server, because it is unsafe; see Section 4 of [Caching]. 3378 If the result of processing a POST would be equivalent to a 3379 representation of an existing resource, an origin server MAY redirect 3380 the user agent to that resource by sending a 303 (See Other) response 3381 with the existing resource's identifier in the Location field. This 3382 has the benefits of providing the user agent a resource identifier 3383 and transferring the representation via a method more amenable to 3384 shared caching, though at the cost of an extra request if the user 3385 agent does not already have the representation cached. 3387 7.3.4. PUT 3389 The PUT method requests that the state of the target resource be 3390 created or replaced with the state defined by the representation 3391 enclosed in the request message payload. A successful PUT of a given 3392 representation would suggest that a subsequent GET on that same 3393 target resource will result in an equivalent representation being 3394 sent in a 200 (OK) response. However, there is no guarantee that 3395 such a state change will be observable, since the target resource 3396 might be acted upon by other user agents in parallel, or might be 3397 subject to dynamic processing by the origin server, before any 3398 subsequent GET is received. A successful response only implies that 3399 the user agent's intent was achieved at the time of its processing by 3400 the origin server. 3402 If the target resource does not have a current representation and the 3403 PUT successfully creates one, then the origin server MUST inform the 3404 user agent by sending a 201 (Created) response. If the target 3405 resource does have a current representation and that representation 3406 is successfully modified in accordance with the state of the enclosed 3407 representation, then the origin server MUST send either a 200 (OK) or 3408 a 204 (No Content) response to indicate successful completion of the 3409 request. 3411 An origin server SHOULD ignore unrecognized header fields received in 3412 a PUT request (i.e., do not save them as part of the resource state). 3414 An origin server SHOULD verify that the PUT representation is 3415 consistent with any constraints the server has for the target 3416 resource that cannot or will not be changed by the PUT. This is 3417 particularly important when the origin server uses internal 3418 configuration information related to the URI in order to set the 3419 values for representation metadata on GET responses. When a PUT 3420 representation is inconsistent with the target resource, the origin 3421 server SHOULD either make them consistent, by transforming the 3422 representation or changing the resource configuration, or respond 3423 with an appropriate error message containing sufficient information 3424 to explain why the representation is unsuitable. The 409 (Conflict) 3425 or 415 (Unsupported Media Type) status codes are suggested, with the 3426 latter being specific to constraints on Content-Type values. 3428 For example, if the target resource is configured to always have a 3429 Content-Type of "text/html" and the representation being PUT has a 3430 Content-Type of "image/jpeg", the origin server ought to do one of: 3432 a. reconfigure the target resource to reflect the new media type; 3433 b. transform the PUT representation to a format consistent with that 3434 of the resource before saving it as the new resource state; or, 3436 c. reject the request with a 415 (Unsupported Media Type) response 3437 indicating that the target resource is limited to "text/html", 3438 perhaps including a link to a different resource that would be a 3439 suitable target for the new representation. 3441 HTTP does not define exactly how a PUT method affects the state of an 3442 origin server beyond what can be expressed by the intent of the user 3443 agent request and the semantics of the origin server response. It 3444 does not define what a resource might be, in any sense of that word, 3445 beyond the interface provided via HTTP. It does not define how 3446 resource state is "stored", nor how such storage might change as a 3447 result of a change in resource state, nor how the origin server 3448 translates resource state into representations. Generally speaking, 3449 all implementation details behind the resource interface are 3450 intentionally hidden by the server. 3452 An origin server MUST NOT send a validator header field 3453 (Section 10.2), such as an ETag or Last-Modified field, in a 3454 successful response to PUT unless the request's representation data 3455 was saved without any transformation applied to the body (i.e., the 3456 resource's new representation data is identical to the representation 3457 data received in the PUT request) and the validator field value 3458 reflects the new representation. This requirement allows a user 3459 agent to know when the representation body it has in memory remains 3460 current as a result of the PUT, thus not in need of being retrieved 3461 again from the origin server, and that the new validator(s) received 3462 in the response can be used for future conditional requests in order 3463 to prevent accidental overwrites (Section 8.2). 3465 The fundamental difference between the POST and PUT methods is 3466 highlighted by the different intent for the enclosed representation. 3467 The target resource in a POST request is intended to handle the 3468 enclosed representation according to the resource's own semantics, 3469 whereas the enclosed representation in a PUT request is defined as 3470 replacing the state of the target resource. Hence, the intent of PUT 3471 is idempotent and visible to intermediaries, even though the exact 3472 effect is only known by the origin server. 3474 Proper interpretation of a PUT request presumes that the user agent 3475 knows which target resource is desired. A service that selects a 3476 proper URI on behalf of the client, after receiving a state-changing 3477 request, SHOULD be implemented using the POST method rather than PUT. 3478 If the origin server will not make the requested PUT state change to 3479 the target resource and instead wishes to have it applied to a 3480 different resource, such as when the resource has been moved to a 3481 different URI, then the origin server MUST send an appropriate 3xx 3482 (Redirection) response; the user agent MAY then make its own decision 3483 regarding whether or not to redirect the request. 3485 A PUT request applied to the target resource can have side effects on 3486 other resources. For example, an article might have a URI for 3487 identifying "the current version" (a resource) that is separate from 3488 the URIs identifying each particular version (different resources 3489 that at one point shared the same state as the current version 3490 resource). A successful PUT request on "the current version" URI 3491 might therefore create a new version resource in addition to changing 3492 the state of the target resource, and might also cause links to be 3493 added between the related resources. 3495 An origin server that allows PUT on a given target resource MUST send 3496 a 400 (Bad Request) response to a PUT request that contains a 3497 Content-Range header field (Section 6.3.4), since the payload is 3498 likely to be partial content that has been mistakenly PUT as a full 3499 representation. Partial content updates are possible by targeting a 3500 separately identified resource with state that overlaps a portion of 3501 the larger resource, or by using a different method that has been 3502 specifically defined for partial updates (for example, the PATCH 3503 method defined in [RFC5789]). 3505 Responses to the PUT method are not cacheable. If a successful PUT 3506 request passes through a cache that has one or more stored responses 3507 for the effective request URI, those stored responses will be 3508 invalidated (see Section 4.4 of [Caching]). 3510 7.3.5. DELETE 3512 The DELETE method requests that the origin server remove the 3513 association between the target resource and its current 3514 functionality. In effect, this method is similar to the rm command 3515 in UNIX: it expresses a deletion operation on the URI mapping of the 3516 origin server rather than an expectation that the previously 3517 associated information be deleted. 3519 If the target resource has one or more current representations, they 3520 might or might not be destroyed by the origin server, and the 3521 associated storage might or might not be reclaimed, depending 3522 entirely on the nature of the resource and its implementation by the 3523 origin server (which are beyond the scope of this specification). 3524 Likewise, other implementation aspects of a resource might need to be 3525 deactivated or archived as a result of a DELETE, such as database or 3526 gateway connections. In general, it is assumed that the origin 3527 server will only allow DELETE on resources for which it has a 3528 prescribed mechanism for accomplishing the deletion. 3530 Relatively few resources allow the DELETE method -- its primary use 3531 is for remote authoring environments, where the user has some 3532 direction regarding its effect. For example, a resource that was 3533 previously created using a PUT request, or identified via the 3534 Location header field after a 201 (Created) response to a POST 3535 request, might allow a corresponding DELETE request to undo those 3536 actions. Similarly, custom user agent implementations that implement 3537 an authoring function, such as revision control clients using HTTP 3538 for remote operations, might use DELETE based on an assumption that 3539 the server's URI space has been crafted to correspond to a version 3540 repository. 3542 If a DELETE method is successfully applied, the origin server SHOULD 3543 send 3545 o a 202 (Accepted) status code if the action will likely succeed but 3546 has not yet been enacted, 3548 o a 204 (No Content) status code if the action has been enacted and 3549 no further information is to be supplied, or 3551 o a 200 (OK) status code if the action has been enacted and the 3552 response message includes a representation describing the status. 3554 A payload within a DELETE request message has no defined semantics; 3555 sending a payload body on a DELETE request might cause some existing 3556 implementations to reject the request. 3558 Responses to the DELETE method are not cacheable. If a successful 3559 DELETE request passes through a cache that has one or more stored 3560 responses for the effective request URI, those stored responses will 3561 be invalidated (see Section 4.4 of [Caching]). 3563 7.3.6. CONNECT 3565 The CONNECT method requests that the recipient establish a tunnel to 3566 the destination origin server identified by the request-target and, 3567 if successful, thereafter restrict its behavior to blind forwarding 3568 of packets, in both directions, until the tunnel is closed. Tunnels 3569 are commonly used to create an end-to-end virtual connection, through 3570 one or more proxies, which can then be secured using TLS (Transport 3571 Layer Security, [RFC8446]). 3573 CONNECT is intended only for use in requests to a proxy. An origin 3574 server that receives a CONNECT request for itself MAY respond with a 3575 2xx (Successful) status code to indicate that a connection is 3576 established. However, most origin servers do not implement CONNECT. 3578 A client sending a CONNECT request MUST send the authority form of 3579 request-target (Section 3.2 of [Messaging]); i.e., the request-target 3580 consists of only the host name and port number of the tunnel 3581 destination, separated by a colon. For example, 3583 CONNECT server.example.com:80 HTTP/1.1 3584 Host: server.example.com:80 3586 The recipient proxy can establish a tunnel either by directly 3587 connecting to the request-target or, if configured to use another 3588 proxy, by forwarding the CONNECT request to the next inbound proxy. 3589 Any 2xx (Successful) response indicates that the sender (and all 3590 inbound proxies) will switch to tunnel mode immediately after the 3591 blank line that concludes the successful response's header section; 3592 data received after that blank line is from the server identified by 3593 the request-target. Any response other than a successful response 3594 indicates that the tunnel has not yet been formed and that the 3595 connection remains governed by HTTP. 3597 A tunnel is closed when a tunnel intermediary detects that either 3598 side has closed its connection: the intermediary MUST attempt to send 3599 any outstanding data that came from the closed side to the other 3600 side, close both connections, and then discard any remaining data 3601 left undelivered. 3603 Proxy authentication might be used to establish the authority to 3604 create a tunnel. For example, 3606 CONNECT server.example.com:80 HTTP/1.1 3607 Host: server.example.com:80 3608 Proxy-Authorization: basic aGVsbG86d29ybGQ= 3610 There are significant risks in establishing a tunnel to arbitrary 3611 servers, particularly when the destination is a well-known or 3612 reserved TCP port that is not intended for Web traffic. For example, 3613 a CONNECT to a request-target of "example.com:25" would suggest that 3614 the proxy connect to the reserved port for SMTP traffic; if allowed, 3615 that could trick the proxy into relaying spam email. Proxies that 3616 support CONNECT SHOULD restrict its use to a limited set of known 3617 ports or a configurable whitelist of safe request targets. 3619 A server MUST NOT send any Transfer-Encoding or Content-Length header 3620 fields in a 2xx (Successful) response to CONNECT. A client MUST 3621 ignore any Content-Length or Transfer-Encoding header fields received 3622 in a successful response to CONNECT. 3624 A payload within a CONNECT request message has no defined semantics; 3625 sending a payload body on a CONNECT request might cause some existing 3626 implementations to reject the request. 3628 Responses to the CONNECT method are not cacheable. 3630 7.3.7. OPTIONS 3632 The OPTIONS method requests information about the communication 3633 options available for the target resource, at either the origin 3634 server or an intervening intermediary. This method allows a client 3635 to determine the options and/or requirements associated with a 3636 resource, or the capabilities of a server, without implying a 3637 resource action. 3639 An OPTIONS request with an asterisk ("*") as the request-target 3640 (Section 3.2 of [Messaging]) applies to the server in general rather 3641 than to a specific resource. Since a server's communication options 3642 typically depend on the resource, the "*" request is only useful as a 3643 "ping" or "no-op" type of method; it does nothing beyond allowing the 3644 client to test the capabilities of the server. For example, this can 3645 be used to test a proxy for HTTP/1.1 conformance (or lack thereof). 3647 If the request-target is not an asterisk, the OPTIONS request applies 3648 to the options that are available when communicating with the target 3649 resource. 3651 A server generating a successful response to OPTIONS SHOULD send any 3652 header fields that might indicate optional features implemented by 3653 the server and applicable to the target resource (e.g., Allow), 3654 including potential extensions not defined by this specification. 3655 The response payload, if any, might also describe the communication 3656 options in a machine or human-readable representation. A standard 3657 format for such a representation is not defined by this 3658 specification, but might be defined by future extensions to HTTP. 3660 A client MAY send a Max-Forwards header field in an OPTIONS request 3661 to target a specific recipient in the request chain (see 3662 Section 8.1.2). A proxy MUST NOT generate a Max-Forwards header 3663 field while forwarding a request unless that request was received 3664 with a Max-Forwards field. 3666 A client that generates an OPTIONS request containing a payload body 3667 MUST send a valid Content-Type header field describing the 3668 representation media type. Note that this specification does not 3669 define any use for such a payload. 3671 Responses to the OPTIONS method are not cacheable. 3673 7.3.8. TRACE 3675 The TRACE method requests a remote, application-level loop-back of 3676 the request message. The final recipient of the request SHOULD 3677 reflect the message received, excluding some fields described below, 3678 back to the client as the message body of a 200 (OK) response with a 3679 Content-Type of "message/http" (Section 10.1 of [Messaging]). The 3680 final recipient is either the origin server or the first server to 3681 receive a Max-Forwards value of zero (0) in the request 3682 (Section 8.1.2). 3684 A client MUST NOT generate header fields in a TRACE request 3685 containing sensitive data that might be disclosed by the response. 3686 For example, it would be foolish for a user agent to send stored user 3687 credentials Section 8.5 or cookies [RFC6265] in a TRACE request. The 3688 final recipient of the request SHOULD exclude any request header 3689 fields that are likely to contain sensitive data when that recipient 3690 generates the response body. 3692 TRACE allows the client to see what is being received at the other 3693 end of the request chain and use that data for testing or diagnostic 3694 information. The value of the Via header field (Section 5.5.1) is of 3695 particular interest, since it acts as a trace of the request chain. 3696 Use of the Max-Forwards header field allows the client to limit the 3697 length of the request chain, which is useful for testing a chain of 3698 proxies forwarding messages in an infinite loop. 3700 A client MUST NOT send a message body in a TRACE request. 3702 Responses to the TRACE method are not cacheable. 3704 7.4. Method Extensibility 3706 Additional methods, outside the scope of this specification, have 3707 been specified for use in HTTP. All such methods ought to be 3708 registered within the "Hypertext Transfer Protocol (HTTP) Method 3709 Registry". 3711 7.4.1. Method Registry 3713 The "Hypertext Transfer Protocol (HTTP) Method Registry", maintained 3714 by IANA at , registers 3715 method names. 3717 HTTP method registrations MUST include the following fields: 3719 o Method Name (see Section 7) 3720 o Safe ("yes" or "no", see Section 7.2.1) 3722 o Idempotent ("yes" or "no", see Section 7.2.2) 3724 o Pointer to specification text 3726 Values to be added to this namespace require IETF Review (see 3727 [RFC8126], Section 4.8). 3729 7.4.2. Considerations for New Methods 3731 Standardized methods are generic; that is, they are potentially 3732 applicable to any resource, not just one particular media type, kind 3733 of resource, or application. As such, it is preferred that new 3734 methods be registered in a document that isn't specific to a single 3735 application or data format, since orthogonal technologies deserve 3736 orthogonal specification. 3738 Since message parsing (Section 6 of [Messaging]) needs to be 3739 independent of method semantics (aside from responses to HEAD), 3740 definitions of new methods cannot change the parsing algorithm or 3741 prohibit the presence of a message body on either the request or the 3742 response message. Definitions of new methods can specify that only a 3743 zero-length message body is allowed by requiring a Content-Length 3744 header field with a value of "0". 3746 A new method definition needs to indicate whether it is safe 3747 (Section 7.2.1), idempotent (Section 7.2.2), cacheable 3748 (Section 7.2.3), what semantics are to be associated with the payload 3749 body if any is present in the request and what refinements the method 3750 makes to header field or status code semantics. If the new method is 3751 cacheable, its definition ought to describe how, and under what 3752 conditions, a cache can store a response and use it to satisfy a 3753 subsequent request. The new method ought to describe whether it can 3754 be made conditional (Section 8.2) and, if so, how a server responds 3755 when the condition is false. Likewise, if the new method might have 3756 some use for partial response semantics (Section 8.3), it ought to 3757 document this, too. 3759 Note: Avoid defining a method name that starts with "M-", since 3760 that prefix might be misinterpreted as having the semantics 3761 assigned to it by [RFC2774]. 3763 8. Request Header Fields 3765 A client sends request header fields to provide more information 3766 about the request context, make the request conditional based on the 3767 target resource state, suggest preferred formats for the response, 3768 supply authentication credentials, or modify the expected request 3769 processing. These fields act as request modifiers, similar to the 3770 parameters on a programming language method invocation. 3772 8.1. Controls 3774 Controls are request header fields that direct specific handling of 3775 the request. 3777 +-------------------+----------------------------+ 3778 | Header Field Name | Defined in... | 3779 +-------------------+----------------------------+ 3780 | Cache-Control | Section 5.2 of [Caching] | 3781 | Expect | Section 8.1.1 | 3782 | Host | Section 5.4 | 3783 | Max-Forwards | Section 8.1.2 | 3784 | Pragma | Section 5.4 of [Caching] | 3785 | TE | Section 7.4 of [Messaging] | 3786 +-------------------+----------------------------+ 3788 8.1.1. Expect 3790 The "Expect" header field in a request indicates a certain set of 3791 behaviors (expectations) that need to be supported by the server in 3792 order to properly handle this request. The only such expectation 3793 defined by this specification is 100-continue. 3795 Expect = "100-continue" 3797 The Expect field-value is case-insensitive. 3799 A server that receives an Expect field-value other than 100-continue 3800 MAY respond with a 417 (Expectation Failed) status code to indicate 3801 that the unexpected expectation cannot be met. 3803 A 100-continue expectation informs recipients that the client is 3804 about to send a (presumably large) message body in this request and 3805 wishes to receive a 100 (Continue) interim response if the request- 3806 line and header fields are not sufficient to cause an immediate 3807 success, redirect, or error response. This allows the client to wait 3808 for an indication that it is worthwhile to send the message body 3809 before actually doing so, which can improve efficiency when the 3810 message body is huge or when the client anticipates that an error is 3811 likely (e.g., when sending a state-changing method, for the first 3812 time, without previously verified authentication credentials). 3814 For example, a request that begins with 3815 PUT /somewhere/fun HTTP/1.1 3816 Host: origin.example.com 3817 Content-Type: video/h264 3818 Content-Length: 1234567890987 3819 Expect: 100-continue 3821 allows the origin server to immediately respond with an error 3822 message, such as 401 (Unauthorized) or 405 (Method Not Allowed), 3823 before the client starts filling the pipes with an unnecessary data 3824 transfer. 3826 Requirements for clients: 3828 o A client MUST NOT generate a 100-continue expectation in a request 3829 that does not include a message body. 3831 o A client that will wait for a 100 (Continue) response before 3832 sending the request message body MUST send an Expect header field 3833 containing a 100-continue expectation. 3835 o A client that sends a 100-continue expectation is not required to 3836 wait for any specific length of time; such a client MAY proceed to 3837 send the message body even if it has not yet received a response. 3838 Furthermore, since 100 (Continue) responses cannot be sent through 3839 an HTTP/1.0 intermediary, such a client SHOULD NOT wait for an 3840 indefinite period before sending the message body. 3842 o A client that receives a 417 (Expectation Failed) status code in 3843 response to a request containing a 100-continue expectation SHOULD 3844 repeat that request without a 100-continue expectation, since the 3845 417 response merely indicates that the response chain does not 3846 support expectations (e.g., it passes through an HTTP/1.0 server). 3848 Requirements for servers: 3850 o A server that receives a 100-continue expectation in an HTTP/1.0 3851 request MUST ignore that expectation. 3853 o A server MAY omit sending a 100 (Continue) response if it has 3854 already received some or all of the message body for the 3855 corresponding request, or if the framing indicates that there is 3856 no message body. 3858 o A server that sends a 100 (Continue) response MUST ultimately send 3859 a final status code, once the message body is received and 3860 processed, unless the connection is closed prematurely. 3862 o A server that responds with a final status code before reading the 3863 entire request payload body SHOULD indicate whether it intends to 3864 close the connection (see Section 9.7 of [Messaging]) or continue 3865 reading the payload body. 3867 An origin server MUST, upon receiving an HTTP/1.1 (or later) request- 3868 line and a complete header section that contains a 100-continue 3869 expectation and indicates a request message body will follow, either 3870 send an immediate response with a final status code, if that status 3871 can be determined by examining just the request-line and header 3872 fields, or send an immediate 100 (Continue) response to encourage the 3873 client to send the request's message body. The origin server MUST 3874 NOT wait for the message body before sending the 100 (Continue) 3875 response. 3877 A proxy MUST, upon receiving an HTTP/1.1 (or later) request-line and 3878 a complete header section that contains a 100-continue expectation 3879 and indicates a request message body will follow, either send an 3880 immediate response with a final status code, if that status can be 3881 determined by examining just the request-line and header fields, or 3882 begin forwarding the request toward the origin server by sending a 3883 corresponding request-line and header section to the next inbound 3884 server. If the proxy believes (from configuration or past 3885 interaction) that the next inbound server only supports HTTP/1.0, the 3886 proxy MAY generate an immediate 100 (Continue) response to encourage 3887 the client to begin sending the message body. 3889 Note: The Expect header field was added after the original 3890 publication of HTTP/1.1 [RFC2068] as both the means to request an 3891 interim 100 (Continue) response and the general mechanism for 3892 indicating must-understand extensions. However, the extension 3893 mechanism has not been used by clients and the must-understand 3894 requirements have not been implemented by many servers, rendering 3895 the extension mechanism useless. This specification has removed 3896 the extension mechanism in order to simplify the definition and 3897 processing of 100-continue. 3899 8.1.2. Max-Forwards 3901 The "Max-Forwards" header field provides a mechanism with the TRACE 3902 (Section 7.3.8) and OPTIONS (Section 7.3.7) request methods to limit 3903 the number of times that the request is forwarded by proxies. This 3904 can be useful when the client is attempting to trace a request that 3905 appears to be failing or looping mid-chain. 3907 Max-Forwards = 1*DIGIT 3909 The Max-Forwards value is a decimal integer indicating the remaining 3910 number of times this request message can be forwarded. 3912 Each intermediary that receives a TRACE or OPTIONS request containing 3913 a Max-Forwards header field MUST check and update its value prior to 3914 forwarding the request. If the received value is zero (0), the 3915 intermediary MUST NOT forward the request; instead, the intermediary 3916 MUST respond as the final recipient. If the received Max-Forwards 3917 value is greater than zero, the intermediary MUST generate an updated 3918 Max-Forwards field in the forwarded message with a field-value that 3919 is the lesser of a) the received value decremented by one (1) or b) 3920 the recipient's maximum supported value for Max-Forwards. 3922 A recipient MAY ignore a Max-Forwards header field received with any 3923 other request methods. 3925 8.2. Preconditions 3927 A conditional request is an HTTP request with one or more request 3928 header fields that indicate a precondition to be tested before 3929 applying the request method to the target resource. Section 8.2.1 3930 defines when preconditions are applied. Section 8.2.2 defines the 3931 order of evaluation when more than one precondition is present. 3933 Conditional GET requests are the most efficient mechanism for HTTP 3934 cache updates [Caching]. Conditionals can also be applied to state- 3935 changing methods, such as PUT and DELETE, to prevent the "lost 3936 update" problem: one client accidentally overwriting the work of 3937 another client that has been acting in parallel. 3939 Conditional request preconditions are based on the state of the 3940 target resource as a whole (its current value set) or the state as 3941 observed in a previously obtained representation (one value in that 3942 set). A resource might have multiple current representations, each 3943 with its own observable state. The conditional request mechanisms 3944 assume that the mapping of requests to a "selected representation" 3945 (Section 6) will be consistent over time if the server intends to 3946 take advantage of conditionals. Regardless, if the mapping is 3947 inconsistent and the server is unable to select the appropriate 3948 representation, then no harm will result when the precondition 3949 evaluates to false. 3951 The following request header fields allow a client to place a 3952 precondition on the state of the target resource, so that the action 3953 corresponding to the method semantics will not be applied if the 3954 precondition evaluates to false. Each precondition defined by this 3955 specification consists of a comparison between a set of validators 3956 obtained from prior representations of the target resource to the 3957 current state of validators for the selected representation 3958 (Section 10.2). Hence, these preconditions evaluate whether the 3959 state of the target resource has changed since a given state known by 3960 the client. The effect of such an evaluation depends on the method 3961 semantics and choice of conditional, as defined in Section 8.2.1. 3963 +---------------------+---------------+ 3964 | Header Field Name | Defined in... | 3965 +---------------------+---------------+ 3966 | If-Match | Section 8.2.3 | 3967 | If-None-Match | Section 8.2.4 | 3968 | If-Modified-Since | Section 8.2.5 | 3969 | If-Unmodified-Since | Section 8.2.6 | 3970 | If-Range | Section 8.2.7 | 3971 +---------------------+---------------+ 3973 8.2.1. Evaluation 3975 Except when excluded below, a recipient cache or origin server MUST 3976 evaluate received request preconditions after it has successfully 3977 performed its normal request checks and just before it would perform 3978 the action associated with the request method. A server MUST ignore 3979 all received preconditions if its response to the same request 3980 without those conditions would have been a status code other than a 3981 2xx (Successful) or 412 (Precondition Failed). In other words, 3982 redirects and failures take precedence over the evaluation of 3983 preconditions in conditional requests. 3985 A server that is not the origin server for the target resource and 3986 cannot act as a cache for requests on the target resource MUST NOT 3987 evaluate the conditional request header fields defined by this 3988 specification, and it MUST forward them if the request is forwarded, 3989 since the generating client intends that they be evaluated by a 3990 server that can provide a current representation. Likewise, a server 3991 MUST ignore the conditional request header fields defined by this 3992 specification when received with a request method that does not 3993 involve the selection or modification of a selected representation, 3994 such as CONNECT, OPTIONS, or TRACE. 3996 Note that protocol extensions can modify the conditions under which 3997 revalidation is triggered. For example, the "immutable" cache 3998 directive (defined by [RFC8246]) instructs caches to forgo 3999 revalidation of fresh responses even when requested by the client. 4001 Conditional request header fields that are defined by extensions to 4002 HTTP might place conditions on all recipients, on the state of the 4003 target resource in general, or on a group of resources. For 4004 instance, the "If" header field in WebDAV can make a request 4005 conditional on various aspects of multiple resources, such as locks, 4006 if the recipient understands and implements that field ([RFC4918], 4007 Section 10.4). 4009 Although conditional request header fields are defined as being 4010 usable with the HEAD method (to keep HEAD's semantics consistent with 4011 those of GET), there is no point in sending a conditional HEAD 4012 because a successful response is around the same size as a 304 (Not 4013 Modified) response and more useful than a 412 (Precondition Failed) 4014 response. 4016 8.2.2. Precedence 4018 When more than one conditional request header field is present in a 4019 request, the order in which the fields are evaluated becomes 4020 important. In practice, the fields defined in this document are 4021 consistently implemented in a single, logical order, since "lost 4022 update" preconditions have more strict requirements than cache 4023 validation, a validated cache is more efficient than a partial 4024 response, and entity tags are presumed to be more accurate than date 4025 validators. 4027 A recipient cache or origin server MUST evaluate the request 4028 preconditions defined by this specification in the following order: 4030 1. When recipient is the origin server and If-Match is present, 4031 evaluate the If-Match precondition: 4033 * if true, continue to step 3 4035 * if false, respond 412 (Precondition Failed) unless it can be 4036 determined that the state-changing request has already 4037 succeeded (see Section 8.2.3) 4039 2. When recipient is the origin server, If-Match is not present, and 4040 If-Unmodified-Since is present, evaluate the If-Unmodified-Since 4041 precondition: 4043 * if true, continue to step 3 4044 * if false, respond 412 (Precondition Failed) unless it can be 4045 determined that the state-changing request has already 4046 succeeded (see Section 8.2.6) 4048 3. When If-None-Match is present, evaluate the If-None-Match 4049 precondition: 4051 * if true, continue to step 5 4053 * if false for GET/HEAD, respond 304 (Not Modified) 4055 * if false for other methods, respond 412 (Precondition Failed) 4057 4. When the method is GET or HEAD, If-None-Match is not present, and 4058 If-Modified-Since is present, evaluate the If-Modified-Since 4059 precondition: 4061 * if true, continue to step 5 4063 * if false, respond 304 (Not Modified) 4065 5. When the method is GET and both Range and If-Range are present, 4066 evaluate the If-Range precondition: 4068 * if the validator matches and the Range specification is 4069 applicable to the selected representation, respond 206 4070 (Partial Content) 4072 6. Otherwise, 4074 * all conditions are met, so perform the requested action and 4075 respond according to its success or failure. 4077 Any extension to HTTP/1.1 that defines additional conditional request 4078 header fields ought to define its own expectations regarding the 4079 order for evaluating such fields in relation to those defined in this 4080 document and other conditionals that might be found in practice. 4082 8.2.3. If-Match 4084 The "If-Match" header field makes the request method conditional on 4085 the recipient origin server either having at least one current 4086 representation of the target resource, when the field-value is "*", 4087 or having a current representation of the target resource that has an 4088 entity-tag matching a member of the list of entity-tags provided in 4089 the field-value. 4091 An origin server MUST use the strong comparison function when 4092 comparing entity-tags for If-Match (Section 10.2.3.2), since the 4093 client intends this precondition to prevent the method from being 4094 applied if there have been any changes to the representation data. 4096 If-Match = "*" / 1#entity-tag 4098 Examples: 4100 If-Match: "xyzzy" 4101 If-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" 4102 If-Match: * 4104 If-Match is most often used with state-changing methods (e.g., POST, 4105 PUT, DELETE) to prevent accidental overwrites when multiple user 4106 agents might be acting in parallel on the same resource (i.e., to 4107 prevent the "lost update" problem). It can also be used with safe 4108 methods to abort a request if the selected representation does not 4109 match one already stored (or partially stored) from a prior request. 4111 An origin server that receives an If-Match header field MUST evaluate 4112 the condition prior to performing the method (Section 8.2.1). If the 4113 field-value is "*", the condition is false if the origin server does 4114 not have a current representation for the target resource. If the 4115 field-value is a list of entity-tags, the condition is false if none 4116 of the listed tags match the entity-tag of the selected 4117 representation. 4119 An origin server MUST NOT perform the requested method if a received 4120 If-Match condition evaluates to false; instead, the origin server 4121 MUST respond with either a) the 412 (Precondition Failed) status code 4122 or b) one of the 2xx (Successful) status codes if the origin server 4123 has verified that a state change is being requested and the final 4124 state is already reflected in the current state of the target 4125 resource (i.e., the change requested by the user agent has already 4126 succeeded, but the user agent might not be aware of it, perhaps 4127 because the prior response was lost or a compatible change was made 4128 by some other user agent). In the latter case, the origin server 4129 MUST NOT send a validator header field in the response unless it can 4130 verify that the request is a duplicate of an immediately prior change 4131 made by the same user agent. 4133 The If-Match header field can be ignored by caches and intermediaries 4134 because it is not applicable to a stored response. 4136 8.2.4. If-None-Match 4138 The "If-None-Match" header field makes the request method conditional 4139 on a recipient cache or origin server either not having any current 4140 representation of the target resource, when the field-value is "*", 4141 or having a selected representation with an entity-tag that does not 4142 match any of those listed in the field-value. 4144 A recipient MUST use the weak comparison function when comparing 4145 entity-tags for If-None-Match (Section 10.2.3.2), since weak entity- 4146 tags can be used for cache validation even if there have been changes 4147 to the representation data. 4149 If-None-Match = "*" / 1#entity-tag 4151 Examples: 4153 If-None-Match: "xyzzy" 4154 If-None-Match: W/"xyzzy" 4155 If-None-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" 4156 If-None-Match: W/"xyzzy", W/"r2d2xxxx", W/"c3piozzzz" 4157 If-None-Match: * 4159 If-None-Match is primarily used in conditional GET requests to enable 4160 efficient updates of cached information with a minimum amount of 4161 transaction overhead. When a client desires to update one or more 4162 stored responses that have entity-tags, the client SHOULD generate an 4163 If-None-Match header field containing a list of those entity-tags 4164 when making a GET request; this allows recipient servers to send a 4165 304 (Not Modified) response to indicate when one of those stored 4166 responses matches the selected representation. 4168 If-None-Match can also be used with a value of "*" to prevent an 4169 unsafe request method (e.g., PUT) from inadvertently modifying an 4170 existing representation of the target resource when the client 4171 believes that the resource does not have a current representation 4172 (Section 7.2.1). This is a variation on the "lost update" problem 4173 that might arise if more than one client attempts to create an 4174 initial representation for the target resource. 4176 An origin server that receives an If-None-Match header field MUST 4177 evaluate the condition prior to performing the method 4178 (Section 8.2.1). If the field-value is "*", the condition is false 4179 if the origin server has a current representation for the target 4180 resource. If the field-value is a list of entity-tags, the condition 4181 is false if one of the listed tags match the entity-tag of the 4182 selected representation. 4184 An origin server MUST NOT perform the requested method if the 4185 condition evaluates to false; instead, the origin server MUST respond 4186 with either a) the 304 (Not Modified) status code if the request 4187 method is GET or HEAD or b) the 412 (Precondition Failed) status code 4188 for all other request methods. 4190 Requirements on cache handling of a received If-None-Match header 4191 field are defined in Section 4.3.2 of [Caching]. 4193 8.2.5. If-Modified-Since 4195 The "If-Modified-Since" header field makes a GET or HEAD request 4196 method conditional on the selected representation's modification date 4197 being more recent than the date provided in the field-value. 4198 Transfer of the selected representation's data is avoided if that 4199 data has not changed. 4201 If-Modified-Since = HTTP-date 4203 An example of the field is: 4205 If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT 4207 A recipient MUST ignore If-Modified-Since if the request contains an 4208 If-None-Match header field; the condition in If-None-Match is 4209 considered to be a more accurate replacement for the condition in If- 4210 Modified-Since, and the two are only combined for the sake of 4211 interoperating with older intermediaries that might not implement If- 4212 None-Match. 4214 A recipient MUST ignore the If-Modified-Since header field if the 4215 received field-value is not a valid HTTP-date, or if the request 4216 method is neither GET nor HEAD. 4218 A recipient MUST interpret an If-Modified-Since field-value's 4219 timestamp in terms of the origin server's clock. 4221 If-Modified-Since is typically used for two distinct purposes: 1) to 4222 allow efficient updates of a cached representation that does not have 4223 an entity-tag and 2) to limit the scope of a web traversal to 4224 resources that have recently changed. 4226 When used for cache updates, a cache will typically use the value of 4227 the cached message's Last-Modified field to generate the field value 4228 of If-Modified-Since. This behavior is most interoperable for cases 4229 where clocks are poorly synchronized or when the server has chosen to 4230 only honor exact timestamp matches (due to a problem with Last- 4231 Modified dates that appear to go "back in time" when the origin 4232 server's clock is corrected or a representation is restored from an 4233 archived backup). However, caches occasionally generate the field 4234 value based on other data, such as the Date header field of the 4235 cached message or the local clock time that the message was received, 4236 particularly when the cached message does not contain a Last-Modified 4237 field. 4239 When used for limiting the scope of retrieval to a recent time 4240 window, a user agent will generate an If-Modified-Since field value 4241 based on either its own local clock or a Date header field received 4242 from the server in a prior response. Origin servers that choose an 4243 exact timestamp match based on the selected representation's Last- 4244 Modified field will not be able to help the user agent limit its data 4245 transfers to only those changed during the specified window. 4247 An origin server that receives an If-Modified-Since header field 4248 SHOULD evaluate the condition prior to performing the method 4249 (Section 8.2.1). The origin server SHOULD NOT perform the requested 4250 method if the selected representation's last modification date is 4251 earlier than or equal to the date provided in the field-value; 4252 instead, the origin server SHOULD generate a 304 (Not Modified) 4253 response, including only those metadata that are useful for 4254 identifying or updating a previously cached response. 4256 Requirements on cache handling of a received If-Modified-Since header 4257 field are defined in Section 4.3.2 of [Caching]. 4259 8.2.6. If-Unmodified-Since 4261 The "If-Unmodified-Since" header field makes the request method 4262 conditional on the selected representation's last modification date 4263 being earlier than or equal to the date provided in the field-value. 4264 This field accomplishes the same purpose as If-Match for cases where 4265 the user agent does not have an entity-tag for the representation. 4267 If-Unmodified-Since = HTTP-date 4269 An example of the field is: 4271 If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT 4273 A recipient MUST ignore If-Unmodified-Since if the request contains 4274 an If-Match header field; the condition in If-Match is considered to 4275 be a more accurate replacement for the condition in If-Unmodified- 4276 Since, and the two are only combined for the sake of interoperating 4277 with older intermediaries that might not implement If-Match. 4279 A recipient MUST ignore the If-Unmodified-Since header field if the 4280 received field-value is not a valid HTTP-date. 4282 A recipient MUST interpret an If-Unmodified-Since field-value's 4283 timestamp in terms of the origin server's clock. 4285 If-Unmodified-Since is most often used with state-changing methods 4286 (e.g., POST, PUT, DELETE) to prevent accidental overwrites when 4287 multiple user agents might be acting in parallel on a resource that 4288 does not supply entity-tags with its representations (i.e., to 4289 prevent the "lost update" problem). It can also be used with safe 4290 methods to abort a request if the selected representation does not 4291 match one already stored (or partially stored) from a prior request. 4293 An origin server that receives an If-Unmodified-Since header field 4294 MUST evaluate the condition prior to performing the method 4295 (Section 8.2.1). The origin server MUST NOT perform the requested 4296 method if the selected representation's last modification date is 4297 more recent than the date provided in the field-value; instead the 4298 origin server MUST respond with either a) the 412 (Precondition 4299 Failed) status code or b) one of the 2xx (Successful) status codes if 4300 the origin server has verified that a state change is being requested 4301 and the final state is already reflected in the current state of the 4302 target resource (i.e., the change requested by the user agent has 4303 already succeeded, but the user agent might not be aware of that 4304 because the prior response message was lost or a compatible change 4305 was made by some other user agent). In the latter case, the origin 4306 server MUST NOT send a validator header field in the response unless 4307 it can verify that the request is a duplicate of an immediately prior 4308 change made by the same user agent. 4310 The If-Unmodified-Since header field can be ignored by caches and 4311 intermediaries because it is not applicable to a stored response. 4313 8.2.7. If-Range 4315 The "If-Range" header field provides a special conditional request 4316 mechanism that is similar to the If-Match and If-Unmodified-Since 4317 header fields but that instructs the recipient to ignore the Range 4318 header field if the validator doesn't match, resulting in transfer of 4319 the new selected representation instead of a 412 (Precondition 4320 Failed) response. 4322 If a client has a partial copy of a representation and wishes to have 4323 an up-to-date copy of the entire representation, it could use the 4324 Range header field with a conditional GET (using either or both of 4325 If-Unmodified-Since and If-Match.) However, if the precondition 4326 fails because the representation has been modified, the client would 4327 then have to make a second request to obtain the entire current 4328 representation. 4330 The "If-Range" header field allows a client to "short-circuit" the 4331 second request. Informally, its meaning is as follows: if the 4332 representation is unchanged, send me the part(s) that I am requesting 4333 in Range; otherwise, send me the entire representation. 4335 If-Range = entity-tag / HTTP-date 4337 A client MUST NOT generate an If-Range header field in a request that 4338 does not contain a Range header field. A server MUST ignore an If- 4339 Range header field received in a request that does not contain a 4340 Range header field. An origin server MUST ignore an If-Range header 4341 field received in a request for a target resource that does not 4342 support Range requests. 4344 A client MUST NOT generate an If-Range header field containing an 4345 entity-tag that is marked as weak. A client MUST NOT generate an If- 4346 Range header field containing an HTTP-date unless the client has no 4347 entity-tag for the corresponding representation and the date is a 4348 strong validator in the sense defined by Section 10.2.2.2. 4350 A server that evaluates an If-Range precondition MUST use the strong 4351 comparison function when comparing entity-tags (Section 10.2.3.2) and 4352 MUST evaluate the condition as false if an HTTP-date validator is 4353 provided that is not a strong validator in the sense defined by 4354 Section 10.2.2.2. A valid entity-tag can be distinguished from a 4355 valid HTTP-date by examining the first two characters for a DQUOTE. 4357 If the validator given in the If-Range header field matches the 4358 current validator for the selected representation of the target 4359 resource, then the server SHOULD process the Range header field as 4360 requested. If the validator does not match, the server MUST ignore 4361 the Range header field. Note that this comparison by exact match, 4362 including when the validator is an HTTP-date, differs from the 4363 "earlier than or equal to" comparison used when evaluating an If- 4364 Unmodified-Since conditional. 4366 8.3. Range 4368 The "Range" header field on a GET request modifies the method 4369 semantics to request transfer of only one or more subranges of the 4370 selected representation data, rather than the entire selected 4371 representation data. 4373 Range = ranges-specifier 4375 Clients often encounter interrupted data transfers as a result of 4376 canceled requests or dropped connections. When a client has stored a 4377 partial representation, it is desirable to request the remainder of 4378 that representation in a subsequent request rather than transfer the 4379 entire representation. Likewise, devices with limited local storage 4380 might benefit from being able to request only a subset of a larger 4381 representation, such as a single page of a very large document, or 4382 the dimensions of an embedded image. 4384 Range requests are an OPTIONAL feature of HTTP, designed so that 4385 recipients not implementing this feature (or not supporting it for 4386 the target resource) can respond as if it is a normal GET request 4387 without impacting interoperability. Partial responses are indicated 4388 by a distinct status code to not be mistaken for full responses by 4389 caches that might not implement the feature. 4391 A server MAY ignore the Range header field. However, origin servers 4392 and intermediate caches ought to support byte ranges when possible, 4393 since they support efficient recovery from partially failed transfers 4394 and partial retrieval of large representations. A server MUST ignore 4395 a Range header field received with a request method other than GET. 4397 Although the range request mechanism is designed to allow for 4398 extensible range types, this specification only defines requests for 4399 byte ranges. 4401 An origin server MUST ignore a Range header field that contains a 4402 range unit it does not understand. A proxy MAY discard a Range 4403 header field that contains a range unit it does not understand. 4405 A server that supports range requests MAY ignore or reject a Range 4406 header field that consists of more than two overlapping ranges, or a 4407 set of many small ranges that are not listed in ascending order, 4408 since both are indications of either a broken client or a deliberate 4409 denial-of-service attack (Section 13.13). A client SHOULD NOT 4410 request multiple ranges that are inherently less efficient to process 4411 and transfer than a single range that encompasses the same data. 4413 A client that is requesting multiple ranges SHOULD list those ranges 4414 in ascending order (the order in which they would typically be 4415 received in a complete representation) unless there is a specific 4416 need to request a later part earlier. For example, a user agent 4417 processing a large representation with an internal catalog of parts 4418 might need to request later parts first, particularly if the 4419 representation consists of pages stored in reverse order and the user 4420 agent wishes to transfer one page at a time. 4422 The Range header field is evaluated after evaluating the precondition 4423 header fields defined in Section 8.2, and only if the result in 4424 absence of the Range header field would be a 200 (OK) response. In 4425 other words, Range is ignored when a conditional GET would result in 4426 a 304 (Not Modified) response. 4428 The If-Range header field (Section 8.2.7) can be used as a 4429 precondition to applying the Range header field. 4431 If all of the preconditions are true, the server supports the Range 4432 header field for the target resource, and the specified range(s) are 4433 valid and satisfiable (as defined in Section 6.1.4.2), the server 4434 SHOULD send a 206 (Partial Content) response with a payload 4435 containing one or more partial representations that correspond to the 4436 satisfiable ranges requested. 4438 If all of the preconditions are true, the server supports the Range 4439 header field for the target resource, and the specified range(s) are 4440 invalid or unsatisfiable, the server SHOULD send a 416 (Range Not 4441 Satisfiable) response. 4443 8.4. Content Negotiation 4445 The following request header fields are sent by a user agent to 4446 engage in proactive negotiation of the response content, as defined 4447 in Section 6.4.1. The preferences sent in these fields apply to any 4448 content in the response, including representations of the target 4449 resource, representations of error or processing status, and 4450 potentially even the miscellaneous text strings that might appear 4451 within the protocol. 4453 +-------------------+---------------+ 4454 | Header Field Name | Defined in... | 4455 +-------------------+---------------+ 4456 | Accept | Section 8.4.2 | 4457 | Accept-Charset | Section 8.4.3 | 4458 | Accept-Encoding | Section 8.4.4 | 4459 | Accept-Language | Section 8.4.5 | 4460 +-------------------+---------------+ 4462 For each of these header fields, a request that does not contain it 4463 implies that the user agent has no preference on that axis of 4464 negotiation. If the header field is present in a request and none of 4465 the available representations for the response can be considered 4466 acceptable according to it, the origin server can either honor the 4467 header field by sending a 406 (Not Acceptable) response or disregard 4468 the header field by treating the response as if it is not subject to 4469 content negotiation for that request header field. This does not 4470 imply, however, that the client will be able to use the 4471 representation. 4473 Note: Sending these header fields makes it easier for a server to 4474 identify an individual by virtue of the user agent's request 4475 characteristics (Section 13.11). 4477 Each of these header fields defines a wildcard value (often, "*") to 4478 select unspecified values. If no wildcard is present, all values not 4479 explicitly mentioned in the field are considered "not acceptable" to 4480 the client. 4482 Note: In practice, using wildcards in content negotiation has limited 4483 practical value, because it is seldom useful to say, for example, "I 4484 prefer image/* more or less than (some other specific value)". 4485 Clients can explicitly request a 406 (Not Acceptable) response if a 4486 more preferred format is not available by sending Accept: */*;q=0, 4487 but they still need to be able to handle a different response, since 4488 the server is allowed to ignore their preference. 4490 8.4.1. Quality Values 4492 Many of the request header fields for proactive negotiation use a 4493 common parameter, named "q" (case-insensitive), to assign a relative 4494 "weight" to the preference for that associated kind of content. This 4495 weight is referred to as a "quality value" (or "qvalue") because the 4496 same parameter name is often used within server configurations to 4497 assign a weight to the relative quality of the various 4498 representations that can be selected for a resource. 4500 The weight is normalized to a real number in the range 0 through 1, 4501 where 0.001 is the least preferred and 1 is the most preferred; a 4502 value of 0 means "not acceptable". If no "q" parameter is present, 4503 the default weight is 1. 4505 weight = OWS ";" OWS "q=" qvalue 4506 qvalue = ( "0" [ "." 0*3DIGIT ] ) 4507 / ( "1" [ "." 0*3("0") ] ) 4509 A sender of qvalue MUST NOT generate more than three digits after the 4510 decimal point. User configuration of these values ought to be 4511 limited in the same fashion. 4513 8.4.2. Accept 4515 The "Accept" header field can be used by user agents to specify their 4516 preferences regarding response media types. For example, Accept 4517 header fields can be used to indicate that the request is 4518 specifically limited to a small set of desired types, as in the case 4519 of a request for an in-line image. 4521 Accept = #( media-range [ accept-params ] ) 4523 media-range = ( "*/*" 4524 / ( type "/" "*" ) 4525 / ( type "/" subtype ) 4526 ) *( OWS ";" OWS parameter ) 4527 accept-params = weight *( accept-ext ) 4528 accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] 4530 The asterisk "*" character is used to group media types into ranges, 4531 with "*/*" indicating all media types and "type/*" indicating all 4532 subtypes of that type. The media-range can include media type 4533 parameters that are applicable to that range. 4535 Each media-range might be followed by zero or more applicable media 4536 type parameters (e.g., charset), an optional "q" parameter for 4537 indicating a relative weight (Section 8.4.1), and then zero or more 4538 extension parameters. The "q" parameter is necessary if any 4539 extensions (accept-ext) are present, since it acts as a separator 4540 between the two parameter sets. 4542 Note: Use of the "q" parameter name to separate media type 4543 parameters from Accept extension parameters is due to historical 4544 practice. Although this prevents any media type parameter named 4545 "q" from being used with a media range, such an event is believed 4546 to be unlikely given the lack of any "q" parameters in the IANA 4547 media type registry and the rare usage of any media type 4548 parameters in Accept. Future media types are discouraged from 4549 registering any parameter named "q". 4551 The example 4553 Accept: audio/*; q=0.2, audio/basic 4555 is interpreted as "I prefer audio/basic, but send me any audio type 4556 if it is the best available after an 80% markdown in quality". 4558 A more elaborate example is 4560 Accept: text/plain; q=0.5, text/html, 4561 text/x-dvi; q=0.8, text/x-c 4563 Verbally, this would be interpreted as "text/html and text/x-c are 4564 the equally preferred media types, but if they do not exist, then 4565 send the text/x-dvi representation, and if that does not exist, send 4566 the text/plain representation". 4568 Media ranges can be overridden by more specific media ranges or 4569 specific media types. If more than one media range applies to a 4570 given type, the most specific reference has precedence. For example, 4572 Accept: text/*, text/plain, text/plain;format=flowed, */* 4574 have the following precedence: 4576 1. text/plain;format=flowed 4578 2. text/plain 4580 3. text/* 4582 4. */* 4584 The media type quality factor associated with a given type is 4585 determined by finding the media range with the highest precedence 4586 that matches the type. For example, 4588 Accept: text/*;q=0.3, text/html;q=0.7, text/html;level=1, 4589 text/html;level=2;q=0.4, */*;q=0.5 4591 would cause the following values to be associated: 4593 +-------------------+---------------+ 4594 | Media Type | Quality Value | 4595 +-------------------+---------------+ 4596 | text/html;level=1 | 1 | 4597 | text/html | 0.7 | 4598 | text/plain | 0.3 | 4599 | image/jpeg | 0.5 | 4600 | text/html;level=2 | 0.4 | 4601 | text/html;level=3 | 0.7 | 4602 +-------------------+---------------+ 4604 Note: A user agent might be provided with a default set of quality 4605 values for certain media ranges. However, unless the user agent is a 4606 closed system that cannot interact with other rendering agents, this 4607 default set ought to be configurable by the user. 4609 8.4.3. Accept-Charset 4611 The "Accept-Charset" header field can be sent by a user agent to 4612 indicate its preferences for charsets in textual response content. 4613 For example, this field allows user agents capable of understanding 4614 more comprehensive or special-purpose charsets to signal that 4615 capability to an origin server that is capable of representing 4616 information in those charsets. 4618 Accept-Charset = 1#( ( charset / "*" ) [ weight ] ) 4620 Charset names are defined in Section 6.1.1.1. A user agent MAY 4621 associate a quality value with each charset to indicate the user's 4622 relative preference for that charset, as defined in Section 8.4.1. 4623 An example is 4625 Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 4627 The special value "*", if present in the Accept-Charset field, 4628 matches every charset that is not mentioned elsewhere in the Accept- 4629 Charset field. 4631 Note: Accept-Charset is deprecated because UTF-8 has become nearly 4632 ubiquitous and sending a detailed list of user-preferred charsets 4633 wastes bandwidth, increases latency, and makes passive fingerprinting 4634 far too easy (Section 13.11). Most general-purpose user agents do 4635 not send Accept-Charset, unless specifically configured to do so. 4637 8.4.4. Accept-Encoding 4639 The "Accept-Encoding" header field can be used by user agents to 4640 indicate their preferences regarding response content-codings 4641 (Section 6.1.2). An "identity" token is used as a synonym for "no 4642 encoding" in order to communicate when no encoding is preferred. 4644 Accept-Encoding = #( codings [ weight ] ) 4645 codings = content-coding / "identity" / "*" 4647 Each codings value MAY be given an associated quality value 4648 representing the preference for that encoding, as defined in 4649 Section 8.4.1. The asterisk "*" symbol in an Accept-Encoding field 4650 matches any available content-coding not explicitly listed in the 4651 header field. 4653 For example, 4655 Accept-Encoding: compress, gzip 4656 Accept-Encoding: 4657 Accept-Encoding: * 4658 Accept-Encoding: compress;q=0.5, gzip;q=1.0 4659 Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0 4661 A server tests whether a content-coding for a given representation is 4662 acceptable using these rules: 4664 1. If no Accept-Encoding field is in the request, any content-coding 4665 is considered acceptable by the user agent. 4667 2. If the representation has no content-coding, then it is 4668 acceptable by default unless specifically excluded by the Accept- 4669 Encoding field stating either "identity;q=0" or "*;q=0" without a 4670 more specific entry for "identity". 4672 3. If the representation's content-coding is one of the content- 4673 codings listed in the Accept-Encoding field, then it is 4674 acceptable unless it is accompanied by a qvalue of 0. (As 4675 defined in Section 8.4.1, a qvalue of 0 means "not acceptable".) 4677 4. If multiple content-codings are acceptable, then the acceptable 4678 content-coding with the highest non-zero qvalue is preferred. 4680 An Accept-Encoding header field with a combined field-value that is 4681 empty implies that the user agent does not want any content-coding in 4682 response. If an Accept-Encoding header field is present in a request 4683 and none of the available representations for the response have a 4684 content-coding that is listed as acceptable, the origin server SHOULD 4685 send a response without any content-coding. 4687 Note: Most HTTP/1.0 applications do not recognize or obey qvalues 4688 associated with content-codings. This means that qvalues might 4689 not work and are not permitted with x-gzip or x-compress. 4691 8.4.5. Accept-Language 4693 The "Accept-Language" header field can be used by user agents to 4694 indicate the set of natural languages that are preferred in the 4695 response. Language tags are defined in Section 6.1.3. 4697 Accept-Language = 1#( language-range [ weight ] ) 4698 language-range = 4699 4701 Each language-range can be given an associated quality value 4702 representing an estimate of the user's preference for the languages 4703 specified by that range, as defined in Section 8.4.1. For example, 4705 Accept-Language: da, en-gb;q=0.8, en;q=0.7 4707 would mean: "I prefer Danish, but will accept British English and 4708 other types of English". 4710 Note that some recipients treat the order in which language tags are 4711 listed as an indication of descending priority, particularly for tags 4712 that are assigned equal quality values (no value is the same as q=1). 4713 However, this behavior cannot be relied upon. For consistency and to 4714 maximize interoperability, many user agents assign each language tag 4715 a unique quality value while also listing them in order of decreasing 4716 quality. Additional discussion of language priority lists can be 4717 found in Section 2.3 of [RFC4647]. 4719 For matching, Section 3 of [RFC4647] defines several matching 4720 schemes. Implementations can offer the most appropriate matching 4721 scheme for their requirements. The "Basic Filtering" scheme 4722 ([RFC4647], Section 3.3.1) is identical to the matching scheme that 4723 was previously defined for HTTP in Section 14.4 of [RFC2616]. 4725 It might be contrary to the privacy expectations of the user to send 4726 an Accept-Language header field with the complete linguistic 4727 preferences of the user in every request (Section 13.11). 4729 Since intelligibility is highly dependent on the individual user, 4730 user agents need to allow user control over the linguistic preference 4731 (either through configuration of the user agent itself or by 4732 defaulting to a user controllable system setting). A user agent that 4733 does not provide such control to the user MUST NOT send an Accept- 4734 Language header field. 4736 Note: User agents ought to provide guidance to users when setting 4737 a preference, since users are rarely familiar with the details of 4738 language matching as described above. For example, users might 4739 assume that on selecting "en-gb", they will be served any kind of 4740 English document if British English is not available. A user 4741 agent might suggest, in such a case, to add "en" to the list for 4742 better matching behavior. 4744 8.5. Authentication Credentials 4746 HTTP provides a general framework for access control and 4747 authentication, via an extensible set of challenge-response 4748 authentication schemes, which can be used by a server to challenge a 4749 client request and by a client to provide authentication information. 4751 Two header fields are used for carrying authentication credentials. 4752 Note that various custom mechanisms for user authentication use the 4753 Cookie header field for this purpose, as defined in [RFC6265]. 4755 +---------------------+---------------+ 4756 | Header Field Name | Defined in... | 4757 +---------------------+---------------+ 4758 | Authorization | Section 8.5.3 | 4759 | Proxy-Authorization | Section 8.5.4 | 4760 +---------------------+---------------+ 4762 8.5.1. Challenge and Response 4764 HTTP provides a simple challenge-response authentication framework 4765 that can be used by a server to challenge a client request and by a 4766 client to provide authentication information. It uses a case- 4767 insensitive token as a means to identify the authentication scheme, 4768 followed by additional information necessary for achieving 4769 authentication via that scheme. The latter can be either a comma- 4770 separated list of parameters or a single sequence of characters 4771 capable of holding base64-encoded information. 4773 Authentication parameters are name=value pairs, where the name token 4774 is matched case-insensitively, and each parameter name MUST only 4775 occur once per challenge. 4777 auth-scheme = token 4779 auth-param = token BWS "=" BWS ( token / quoted-string ) 4781 token68 = 1*( ALPHA / DIGIT / 4782 "-" / "." / "_" / "~" / "+" / "/" ) *"=" 4784 The token68 syntax allows the 66 unreserved URI characters 4785 ([RFC3986]), plus a few others, so that it can hold a base64, 4786 base64url (URL and filename safe alphabet), base32, or base16 (hex) 4787 encoding, with or without padding, but excluding whitespace 4788 ([RFC4648]). 4790 A 401 (Unauthorized) response message is used by an origin server to 4791 challenge the authorization of a user agent, including a WWW- 4792 Authenticate header field containing at least one challenge 4793 applicable to the requested resource. 4795 A 407 (Proxy Authentication Required) response message is used by a 4796 proxy to challenge the authorization of a client, including a Proxy- 4797 Authenticate header field containing at least one challenge 4798 applicable to the proxy for the requested resource. 4800 challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] 4802 Note: Many clients fail to parse a challenge that contains an 4803 unknown scheme. A workaround for this problem is to list well- 4804 supported schemes (such as "basic") first. 4806 A user agent that wishes to authenticate itself with an origin server 4807 -- usually, but not necessarily, after receiving a 401 (Unauthorized) 4808 -- can do so by including an Authorization header field with the 4809 request. 4811 A client that wishes to authenticate itself with a proxy -- usually, 4812 but not necessarily, after receiving a 407 (Proxy Authentication 4813 Required) -- can do so by including a Proxy-Authorization header 4814 field with the request. 4816 Both the Authorization field value and the Proxy-Authorization field 4817 value contain the client's credentials for the realm of the resource 4818 being requested, based upon a challenge received in a response 4819 (possibly at some point in the past). When creating their values, 4820 the user agent ought to do so by selecting the challenge with what it 4821 considers to be the most secure auth-scheme that it understands, 4822 obtaining credentials from the user as appropriate. Transmission of 4823 credentials within header field values implies significant security 4824 considerations regarding the confidentiality of the underlying 4825 connection, as described in Section 13.14.1. 4827 credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ] 4829 Upon receipt of a request for a protected resource that omits 4830 credentials, contains invalid credentials (e.g., a bad password) or 4831 partial credentials (e.g., when the authentication scheme requires 4832 more than one round trip), an origin server SHOULD send a 401 4833 (Unauthorized) response that contains a WWW-Authenticate header field 4834 with at least one (possibly new) challenge applicable to the 4835 requested resource. 4837 Likewise, upon receipt of a request that omits proxy credentials or 4838 contains invalid or partial proxy credentials, a proxy that requires 4839 authentication SHOULD generate a 407 (Proxy Authentication Required) 4840 response that contains a Proxy-Authenticate header field with at 4841 least one (possibly new) challenge applicable to the proxy. 4843 A server that receives valid credentials that are not adequate to 4844 gain access ought to respond with the 403 (Forbidden) status code 4845 (Section 9.5.4). 4847 HTTP does not restrict applications to this simple challenge-response 4848 framework for access authentication. Additional mechanisms can be 4849 used, such as authentication at the transport level or via message 4850 encapsulation, and with additional header fields specifying 4851 authentication information. However, such additional mechanisms are 4852 not defined by this specification. 4854 8.5.2. Protection Space (Realm) 4856 The "realm" authentication parameter is reserved for use by 4857 authentication schemes that wish to indicate a scope of protection. 4859 A protection space is defined by the canonical root URI (the scheme 4860 and authority components of the effective request URI; see 4861 Section 5.3) of the server being accessed, in combination with the 4862 realm value if present. These realms allow the protected resources 4863 on a server to be partitioned into a set of protection spaces, each 4864 with its own authentication scheme and/or authorization database. 4865 The realm value is a string, generally assigned by the origin server, 4866 that can have additional semantics specific to the authentication 4867 scheme. Note that a response can have multiple challenges with the 4868 same auth-scheme but with different realms. 4870 The protection space determines the domain over which credentials can 4871 be automatically applied. If a prior request has been authorized, 4872 the user agent MAY reuse the same credentials for all other requests 4873 within that protection space for a period of time determined by the 4874 authentication scheme, parameters, and/or user preferences (such as a 4875 configurable inactivity timeout). Unless specifically allowed by the 4876 authentication scheme, a single protection space cannot extend 4877 outside the scope of its server. 4879 For historical reasons, a sender MUST only generate the quoted-string 4880 syntax. Recipients might have to support both token and quoted- 4881 string syntax for maximum interoperability with existing clients that 4882 have been accepting both notations for a long time. 4884 8.5.3. Authorization 4886 The "Authorization" header field allows a user agent to authenticate 4887 itself with an origin server -- usually, but not necessarily, after 4888 receiving a 401 (Unauthorized) response. Its value consists of 4889 credentials containing the authentication information of the user 4890 agent for the realm of the resource being requested. 4892 Authorization = credentials 4894 If a request is authenticated and a realm specified, the same 4895 credentials are presumed to be valid for all other requests within 4896 this realm (assuming that the authentication scheme itself does not 4897 require otherwise, such as credentials that vary according to a 4898 challenge value or using synchronized clocks). 4900 A proxy forwarding a request MUST NOT modify any Authorization fields 4901 in that request. See Section 3.2 of [Caching] for details of and 4902 requirements pertaining to handling of the Authorization field by 4903 HTTP caches. 4905 8.5.4. Proxy-Authorization 4907 The "Proxy-Authorization" header field allows the client to identify 4908 itself (or its user) to a proxy that requires authentication. Its 4909 value consists of credentials containing the authentication 4910 information of the client for the proxy and/or realm of the resource 4911 being requested. 4913 Proxy-Authorization = credentials 4915 Unlike Authorization, the Proxy-Authorization header field applies 4916 only to the next inbound proxy that demanded authentication using the 4917 Proxy-Authenticate field. When multiple proxies are used in a chain, 4918 the Proxy-Authorization header field is consumed by the first inbound 4919 proxy that was expecting to receive credentials. A proxy MAY relay 4920 the credentials from the client request to the next proxy if that is 4921 the mechanism by which the proxies cooperatively authenticate a given 4922 request. 4924 8.5.5. Authentication Scheme Extensibility 4926 Aside from the general framework, this document does not specify any 4927 authentication schemes. New and existing authentication schemes are 4928 specified independently and ought to be registered within the 4929 "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry". 4930 For example, the "basic" and "digest" authentication schemes are 4931 defined by RFC 7617 and RFC 7616, respectively. 4933 8.5.5.1. Authentication Scheme Registry 4935 The "Hypertext Transfer Protocol (HTTP) Authentication Scheme 4936 Registry" defines the namespace for the authentication schemes in 4937 challenges and credentials. It is maintained at 4938 . 4940 Registrations MUST include the following fields: 4942 o Authentication Scheme Name 4944 o Pointer to specification text 4946 o Notes (optional) 4948 Values to be added to this namespace require IETF Review (see 4949 [RFC8126], Section 4.8). 4951 8.5.5.2. Considerations for New Authentication Schemes 4953 There are certain aspects of the HTTP Authentication framework that 4954 put constraints on how new authentication schemes can work: 4956 o HTTP authentication is presumed to be stateless: all of the 4957 information necessary to authenticate a request MUST be provided 4958 in the request, rather than be dependent on the server remembering 4959 prior requests. Authentication based on, or bound to, the 4960 underlying connection is outside the scope of this specification 4961 and inherently flawed unless steps are taken to ensure that the 4962 connection cannot be used by any party other than the 4963 authenticated user (see Section 2.2). 4965 o The authentication parameter "realm" is reserved for defining 4966 protection spaces as described in Section 8.5.2. New schemes MUST 4967 NOT use it in a way incompatible with that definition. 4969 o The "token68" notation was introduced for compatibility with 4970 existing authentication schemes and can only be used once per 4971 challenge or credential. Thus, new schemes ought to use the auth- 4972 param syntax instead, because otherwise future extensions will be 4973 impossible. 4975 o The parsing of challenges and credentials is defined by this 4976 specification and cannot be modified by new authentication 4977 schemes. When the auth-param syntax is used, all parameters ought 4978 to support both token and quoted-string syntax, and syntactical 4979 constraints ought to be defined on the field value after parsing 4980 (i.e., quoted-string processing). This is necessary so that 4981 recipients can use a generic parser that applies to all 4982 authentication schemes. 4984 Note: The fact that the value syntax for the "realm" parameter is 4985 restricted to quoted-string was a bad design choice not to be 4986 repeated for new parameters. 4988 o Definitions of new schemes ought to define the treatment of 4989 unknown extension parameters. In general, a "must-ignore" rule is 4990 preferable to a "must-understand" rule, because otherwise it will 4991 be hard to introduce new parameters in the presence of legacy 4992 recipients. Furthermore, it's good to describe the policy for 4993 defining new parameters (such as "update the specification" or 4994 "use this registry"). 4996 o Authentication schemes need to document whether they are usable in 4997 origin-server authentication (i.e., using WWW-Authenticate), and/ 4998 or proxy authentication (i.e., using Proxy-Authenticate). 5000 o The credentials carried in an Authorization header field are 5001 specific to the user agent and, therefore, have the same effect on 5002 HTTP caches as the "private" Cache-Control response directive 5003 (Section 5.2.2.6 of [Caching]), within the scope of the request in 5004 which they appear. 5006 Therefore, new authentication schemes that choose not to carry 5007 credentials in the Authorization header field (e.g., using a newly 5008 defined header field) will need to explicitly disallow caching, by 5009 mandating the use of Cache-Control response directives (e.g., 5010 "private"). 5012 o Schemes using Authentication-Info, Proxy-Authentication-Info, or 5013 any other authentication related response header field need to 5014 consider and document the related security considerations (see 5015 Section 13.14.4). 5017 8.6. Request Context 5019 The following request header fields provide additional information 5020 about the request context, including information about the user, user 5021 agent, and resource behind the request. 5023 +-------------------+---------------+ 5024 | Header Field Name | Defined in... | 5025 +-------------------+---------------+ 5026 | From | Section 8.6.1 | 5027 | Referer | Section 8.6.2 | 5028 | User-Agent | Section 8.6.3 | 5029 +-------------------+---------------+ 5031 8.6.1. From 5033 The "From" header field contains an Internet email address for a 5034 human user who controls the requesting user agent. The address ought 5035 to be machine-usable, as defined by "mailbox" in Section 3.4 of 5036 [RFC5322]: 5038 From = mailbox 5040 mailbox = 5042 An example is: 5044 From: webmaster@example.org 5046 The From header field is rarely sent by non-robotic user agents. A 5047 user agent SHOULD NOT send a From header field without explicit 5048 configuration by the user, since that might conflict with the user's 5049 privacy interests or their site's security policy. 5051 A robotic user agent SHOULD send a valid From header field so that 5052 the person responsible for running the robot can be contacted if 5053 problems occur on servers, such as if the robot is sending excessive, 5054 unwanted, or invalid requests. 5056 A server SHOULD NOT use the From header field for access control or 5057 authentication, since most recipients will assume that the field 5058 value is public information. 5060 8.6.2. Referer 5062 The "Referer" [sic] header field allows the user agent to specify a 5063 URI reference for the resource from which the target URI was obtained 5064 (i.e., the "referrer", though the field name is misspelled). A user 5065 agent MUST NOT include the fragment and userinfo components of the 5066 URI reference [RFC3986], if any, when generating the Referer field 5067 value. 5069 Referer = absolute-URI / partial-URI 5071 The Referer header field allows servers to generate back-links to 5072 other resources for simple analytics, logging, optimized caching, 5073 etc. It also allows obsolete or mistyped links to be found for 5074 maintenance. Some servers use the Referer header field as a means of 5075 denying links from other sites (so-called "deep linking") or 5076 restricting cross-site request forgery (CSRF), but not all requests 5077 contain it. 5079 Example: 5081 Referer: http://www.example.org/hypertext/Overview.html 5083 If the target URI was obtained from a source that does not have its 5084 own URI (e.g., input from the user keyboard, or an entry within the 5085 user's bookmarks/favorites), the user agent MUST either exclude the 5086 Referer field or send it with a value of "about:blank". 5088 The Referer field has the potential to reveal information about the 5089 request context or browsing history of the user, which is a privacy 5090 concern if the referring resource's identifier reveals personal 5091 information (such as an account name) or a resource that is supposed 5092 to be confidential (such as behind a firewall or internal to a 5093 secured service). Most general-purpose user agents do not send the 5094 Referer header field when the referring resource is a local "file" or 5095 "data" URI. A user agent MUST NOT send a Referer header field in an 5096 unsecured HTTP request if the referring page was received with a 5097 secure protocol. See Section 13.8 for additional security 5098 considerations. 5100 Some intermediaries have been known to indiscriminately remove 5101 Referer header fields from outgoing requests. This has the 5102 unfortunate side effect of interfering with protection against CSRF 5103 attacks, which can be far more harmful to their users. 5104 Intermediaries and user agent extensions that wish to limit 5105 information disclosure in Referer ought to restrict their changes to 5106 specific edits, such as replacing internal domain names with 5107 pseudonyms or truncating the query and/or path components. An 5108 intermediary SHOULD NOT modify or delete the Referer header field 5109 when the field value shares the same scheme and host as the request 5110 target. 5112 8.6.3. User-Agent 5114 The "User-Agent" header field contains information about the user 5115 agent originating the request, which is often used by servers to help 5116 identify the scope of reported interoperability problems, to work 5117 around or tailor responses to avoid particular user agent 5118 limitations, and for analytics regarding browser or operating system 5119 use. A user agent SHOULD send a User-Agent field in each request 5120 unless specifically configured not to do so. 5122 User-Agent = product *( RWS ( product / comment ) ) 5124 The User-Agent field-value consists of one or more product 5125 identifiers, each followed by zero or more comments 5126 (Section 4.2.3.3), which together identify the user agent software 5127 and its significant subproducts. By convention, the product 5128 identifiers are listed in decreasing order of their significance for 5129 identifying the user agent software. Each product identifier 5130 consists of a name and optional version. 5132 product = token ["/" product-version] 5133 product-version = token 5135 A sender SHOULD limit generated product identifiers to what is 5136 necessary to identify the product; a sender MUST NOT generate 5137 advertising or other nonessential information within the product 5138 identifier. A sender SHOULD NOT generate information in product- 5139 version that is not a version identifier (i.e., successive versions 5140 of the same product name ought to differ only in the product-version 5141 portion of the product identifier). 5143 Example: 5145 User-Agent: CERN-LineMode/2.15 libwww/2.17b3 5147 A user agent SHOULD NOT generate a User-Agent field containing 5148 needlessly fine-grained detail and SHOULD limit the addition of 5149 subproducts by third parties. Overly long and detailed User-Agent 5150 field values increase request latency and the risk of a user being 5151 identified against their wishes ("fingerprinting"). 5153 Likewise, implementations are encouraged not to use the product 5154 tokens of other implementations in order to declare compatibility 5155 with them, as this circumvents the purpose of the field. If a user 5156 agent masquerades as a different user agent, recipients can assume 5157 that the user intentionally desires to see responses tailored for 5158 that identified user agent, even if they might not work as well for 5159 the actual user agent being used. 5161 9. Response Status Codes 5163 The (response) status code is a three-digit integer code giving the 5164 result of the attempt to understand and satisfy the request. 5166 HTTP status codes are extensible. HTTP clients are not required to 5167 understand the meaning of all registered status codes, though such 5168 understanding is obviously desirable. However, a client MUST 5169 understand the class of any status code, as indicated by the first 5170 digit, and treat an unrecognized status code as being equivalent to 5171 the x00 status code of that class, with the exception that a 5172 recipient MUST NOT cache a response with an unrecognized status code. 5174 For example, if an unrecognized status code of 471 is received by a 5175 client, the client can assume that there was something wrong with its 5176 request and treat the response as if it had received a 400 (Bad 5177 Request) status code. The response message will usually contain a 5178 representation that explains the status. 5180 The first digit of the status code defines the class of response. 5181 The last two digits do not have any categorization role. There are 5182 five values for the first digit: 5184 o 1xx (Informational): The request was received, continuing process 5186 o 2xx (Successful): The request was successfully received, 5187 understood, and accepted 5189 o 3xx (Redirection): Further action needs to be taken in order to 5190 complete the request 5192 o 4xx (Client Error): The request contains bad syntax or cannot be 5193 fulfilled 5195 o 5xx (Server Error): The server failed to fulfill an apparently 5196 valid request 5198 9.1. Overview of Status Codes 5200 The status codes listed below are defined in this specification. The 5201 reason phrases listed here are only recommendations -- they can be 5202 replaced by local equivalents without affecting the protocol. 5204 Responses with status codes that are defined as heuristically 5205 cacheable (e.g., 200, 203, 204, 206, 300, 301, 404, 405, 410, 414, 5206 and 501 in this specification) can be reused by a cache with 5207 heuristic expiration unless otherwise indicated by the method 5208 definition or explicit cache controls [Caching]; all other status 5209 codes are not heuristically cacheable. 5211 +-------+-------------------------------+-----------------+ 5212 | Value | Description | Reference | 5213 +-------+-------------------------------+-----------------+ 5214 | 100 | Continue | Section 9.2.1 | 5215 | 101 | Switching Protocols | Section 9.2.2 | 5216 | 200 | OK | Section 9.3.1 | 5217 | 201 | Created | Section 9.3.2 | 5218 | 202 | Accepted | Section 9.3.3 | 5219 | 203 | Non-Authoritative Information | Section 9.3.4 | 5220 | 204 | No Content | Section 9.3.5 | 5221 | 205 | Reset Content | Section 9.3.6 | 5222 | 206 | Partial Content | Section 9.3.7 | 5223 | 300 | Multiple Choices | Section 9.4.1 | 5224 | 301 | Moved Permanently | Section 9.4.2 | 5225 | 302 | Found | Section 9.4.3 | 5226 | 303 | See Other | Section 9.4.4 | 5227 | 304 | Not Modified | Section 9.4.5 | 5228 | 305 | Use Proxy | Section 9.4.6 | 5229 | 306 | (Unused) | Section 9.4.7 | 5230 | 307 | Temporary Redirect | Section 9.4.8 | 5231 | 308 | Permanent Redirect | Section 9.4.9 | 5232 | 400 | Bad Request | Section 9.5.1 | 5233 | 401 | Unauthorized | Section 9.5.2 | 5234 | 402 | Payment Required | Section 9.5.3 | 5235 | 403 | Forbidden | Section 9.5.4 | 5236 | 404 | Not Found | Section 9.5.5 | 5237 | 405 | Method Not Allowed | Section 9.5.6 | 5238 | 406 | Not Acceptable | Section 9.5.7 | 5239 | 407 | Proxy Authentication Required | Section 9.5.8 | 5240 | 408 | Request Timeout | Section 9.5.9 | 5241 | 409 | Conflict | Section 9.5.10 | 5242 | 410 | Gone | Section 9.5.11 | 5243 | 411 | Length Required | Section 9.5.12 | 5244 | 412 | Precondition Failed | Section 9.5.13 | 5245 | 413 | Payload Too Large | Section 9.5.14 | 5246 | 414 | URI Too Long | Section 9.5.15 | 5247 | 415 | Unsupported Media Type | Section 9.5.16 | 5248 | 416 | Range Not Satisfiable | Section 9.5.17 | 5249 | 417 | Expectation Failed | Section 9.5.18 | 5250 | 418 | (Unused) | Section 9.5.19 | 5251 | 422 | Unprocessable Payload | Section 9.5.20 | 5252 | 426 | Upgrade Required | Section 9.5.21 | 5253 | 500 | Internal Server Error | Section 9.6.1 | 5254 | 501 | Not Implemented | Section 9.6.2 | 5255 | 502 | Bad Gateway | Section 9.6.3 | 5256 | 503 | Service Unavailable | Section 9.6.4 | 5257 | 504 | Gateway Timeout | Section 9.6.5 | 5258 | 505 | HTTP Version Not Supported | Section 9.6.6 | 5259 +-------+-------------------------------+-----------------+ 5261 Table 6 5263 Note that this list is not exhaustive -- it does not include 5264 extension status codes defined in other specifications (Section 9.7). 5266 9.2. Informational 1xx 5268 The 1xx (Informational) class of status code indicates an interim 5269 response for communicating connection status or request progress 5270 prior to completing the requested action and sending a final 5271 response. 1xx responses are terminated by the first empty line after 5272 the status-line (the empty line signaling the end of the header 5273 section). Since HTTP/1.0 did not define any 1xx status codes, a 5274 server MUST NOT send a 1xx response to an HTTP/1.0 client. 5276 A client MUST be able to parse one or more 1xx responses received 5277 prior to a final response, even if the client does not expect one. A 5278 user agent MAY ignore unexpected 1xx responses. 5280 A proxy MUST forward 1xx responses unless the proxy itself requested 5281 the generation of the 1xx response. For example, if a proxy adds an 5282 "Expect: 100-continue" field when it forwards a request, then it need 5283 not forward the corresponding 100 (Continue) response(s). 5285 9.2.1. 100 Continue 5287 The 100 (Continue) status code indicates that the initial part of a 5288 request has been received and has not yet been rejected by the 5289 server. The server intends to send a final response after the 5290 request has been fully received and acted upon. 5292 When the request contains an Expect header field that includes a 5293 100-continue expectation, the 100 response indicates that the server 5294 wishes to receive the request payload body, as described in 5295 Section 8.1.1. The client ought to continue sending the request and 5296 discard the 100 response. 5298 If the request did not contain an Expect header field containing the 5299 100-continue expectation, the client can simply discard this interim 5300 response. 5302 9.2.2. 101 Switching Protocols 5304 The 101 (Switching Protocols) status code indicates that the server 5305 understands and is willing to comply with the client's request, via 5306 the Upgrade header field (Section 9.9 of [Messaging]), for a change 5307 in the application protocol being used on this connection. The 5308 server MUST generate an Upgrade header field in the response that 5309 indicates which protocol(s) will be switched to immediately after the 5310 empty line that terminates the 101 response. 5312 It is assumed that the server will only agree to switch protocols 5313 when it is advantageous to do so. For example, switching to a newer 5314 version of HTTP might be advantageous over older versions, and 5315 switching to a real-time, synchronous protocol might be advantageous 5316 when delivering resources that use such features. 5318 9.3. Successful 2xx 5320 The 2xx (Successful) class of status code indicates that the client's 5321 request was successfully received, understood, and accepted. 5323 9.3.1. 200 OK 5325 The 200 (OK) status code indicates that the request has succeeded. 5326 The payload sent in a 200 response depends on the request method. 5327 For the methods defined by this specification, the intended meaning 5328 of the payload can be summarized as: 5330 GET a representation of the target resource; 5331 HEAD the same representation as GET, but without the representation 5332 data; 5334 POST a representation of the status of, or results obtained from, 5335 the action; 5337 PUT, DELETE a representation of the status of the action; 5339 OPTIONS a representation of the communications options; 5341 TRACE a representation of the request message as received by the end 5342 server. 5344 Aside from responses to CONNECT, a 200 response always has a payload, 5345 though an origin server MAY generate a payload body of zero length. 5346 If no payload is desired, an origin server ought to send 204 (No 5347 Content) instead. For CONNECT, no payload is allowed because the 5348 successful result is a tunnel, which begins immediately after the 200 5349 response header section. 5351 A 200 response is heuristically cacheable; i.e., unless otherwise 5352 indicated by the method definition or explicit cache controls (see 5353 Section 4.2.2 of [Caching]). 5355 9.3.2. 201 Created 5357 The 201 (Created) status code indicates that the request has been 5358 fulfilled and has resulted in one or more new resources being 5359 created. The primary resource created by the request is identified 5360 by either a Location header field in the response or, if no Location 5361 field is received, by the effective request URI. 5363 The 201 response payload typically describes and links to the 5364 resource(s) created. See Section 10.2 for a discussion of the 5365 meaning and purpose of validator header fields, such as ETag and 5366 Last-Modified, in a 201 response. 5368 9.3.3. 202 Accepted 5370 The 202 (Accepted) status code indicates that the request has been 5371 accepted for processing, but the processing has not been completed. 5372 The request might or might not eventually be acted upon, as it might 5373 be disallowed when processing actually takes place. There is no 5374 facility in HTTP for re-sending a status code from an asynchronous 5375 operation. 5377 The 202 response is intentionally noncommittal. Its purpose is to 5378 allow a server to accept a request for some other process (perhaps a 5379 batch-oriented process that is only run once per day) without 5380 requiring that the user agent's connection to the server persist 5381 until the process is completed. The representation sent with this 5382 response ought to describe the request's current status and point to 5383 (or embed) a status monitor that can provide the user with an 5384 estimate of when the request will be fulfilled. 5386 9.3.4. 203 Non-Authoritative Information 5388 The 203 (Non-Authoritative Information) status code indicates that 5389 the request was successful but the enclosed payload has been modified 5390 from that of the origin server's 200 (OK) response by a transforming 5391 proxy (Section 5.5.2). This status code allows the proxy to notify 5392 recipients when a transformation has been applied, since that 5393 knowledge might impact later decisions regarding the content. For 5394 example, future cache validation requests for the content might only 5395 be applicable along the same request path (through the same proxies). 5397 The 203 response is similar to the Warning code of 214 Transformation 5398 Applied (Section 5.5 of [Caching]), which has the advantage of being 5399 applicable to responses with any status code. 5401 A 203 response is heuristically cacheable; i.e., unless otherwise 5402 indicated by the method definition or explicit cache controls (see 5403 Section 4.2.2 of [Caching]). 5405 9.3.5. 204 No Content 5407 The 204 (No Content) status code indicates that the server has 5408 successfully fulfilled the request and that there is no additional 5409 content to send in the response payload body. Metadata in the 5410 response header fields refer to the target resource and its selected 5411 representation after the requested action was applied. 5413 For example, if a 204 status code is received in response to a PUT 5414 request and the response contains an ETag header field, then the PUT 5415 was successful and the ETag field-value contains the entity-tag for 5416 the new representation of that target resource. 5418 The 204 response allows a server to indicate that the action has been 5419 successfully applied to the target resource, while implying that the 5420 user agent does not need to traverse away from its current "document 5421 view" (if any). The server assumes that the user agent will provide 5422 some indication of the success to its user, in accord with its own 5423 interface, and apply any new or updated metadata in the response to 5424 its active representation. 5426 For example, a 204 status code is commonly used with document editing 5427 interfaces corresponding to a "save" action, such that the document 5428 being saved remains available to the user for editing. It is also 5429 frequently used with interfaces that expect automated data transfers 5430 to be prevalent, such as within distributed version control systems. 5432 A 204 response is terminated by the first empty line after the header 5433 fields because it cannot contain a message body. 5435 A 204 response is heuristically cacheable; i.e., unless otherwise 5436 indicated by the method definition or explicit cache controls (see 5437 Section 4.2.2 of [Caching]). 5439 9.3.6. 205 Reset Content 5441 The 205 (Reset Content) status code indicates that the server has 5442 fulfilled the request and desires that the user agent reset the 5443 "document view", which caused the request to be sent, to its original 5444 state as received from the origin server. 5446 This response is intended to support a common data entry use case 5447 where the user receives content that supports data entry (a form, 5448 notepad, canvas, etc.), enters or manipulates data in that space, 5449 causes the entered data to be submitted in a request, and then the 5450 data entry mechanism is reset for the next entry so that the user can 5451 easily initiate another input action. 5453 Since the 205 status code implies that no additional content will be 5454 provided, a server MUST NOT generate a payload in a 205 response. In 5455 other words, a server MUST do one of the following for a 205 5456 response: a) indicate a zero-length body for the response by 5457 including a Content-Length header field with a value of 0; b) 5458 indicate a zero-length payload for the response by including a 5459 Transfer-Encoding header field with a value of chunked and a message 5460 body consisting of a single chunk of zero-length; or, c) close the 5461 connection immediately after sending the blank line terminating the 5462 header section. 5464 9.3.7. 206 Partial Content 5466 The 206 (Partial Content) status code indicates that the server is 5467 successfully fulfilling a range request for the target resource by 5468 transferring one or more parts of the selected representation. 5470 When a 206 response is generated, the server MUST generate the 5471 following header fields, in addition to those required in the 5472 subsections below, if the field would have been sent in a 200 (OK) 5473 response to the same request: Date, Cache-Control, ETag, Expires, 5474 Content-Location, and Vary. 5476 If a 206 is generated in response to a request with an If-Range 5477 header field, the sender SHOULD NOT generate other representation 5478 header fields beyond those required, because the client is understood 5479 to already have a prior response containing those header fields. 5480 Otherwise, the sender MUST generate all of the representation header 5481 fields that would have been sent in a 200 (OK) response to the same 5482 request. 5484 A 206 response is heuristically cacheable; i.e., unless otherwise 5485 indicated by explicit cache controls (see Section 4.2.2 of 5486 [Caching]). 5488 9.3.7.1. Single Part 5490 If a single part is being transferred, the server generating the 206 5491 response MUST generate a Content-Range header field, describing what 5492 range of the selected representation is enclosed, and a payload 5493 consisting of the range. For example: 5495 HTTP/1.1 206 Partial Content 5496 Date: Wed, 15 Nov 1995 06:25:24 GMT 5497 Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT 5498 Content-Range: bytes 21010-47021/47022 5499 Content-Length: 26012 5500 Content-Type: image/gif 5502 ... 26012 bytes of partial image data ... 5504 9.3.7.2. Multiple Parts 5506 If multiple parts are being transferred, the server generating the 5507 206 response MUST generate a "multipart/byteranges" payload, as 5508 defined in Section 6.3.5, and a Content-Type header field containing 5509 the multipart/byteranges media type and its required boundary 5510 parameter. To avoid confusion with single-part responses, a server 5511 MUST NOT generate a Content-Range header field in the HTTP header 5512 section of a multiple part response (this field will be sent in each 5513 part instead). 5515 Within the header area of each body part in the multipart payload, 5516 the server MUST generate a Content-Range header field corresponding 5517 to the range being enclosed in that body part. If the selected 5518 representation would have had a Content-Type header field in a 200 5519 (OK) response, the server SHOULD generate that same Content-Type 5520 field in the header area of each body part. For example: 5522 HTTP/1.1 206 Partial Content 5523 Date: Wed, 15 Nov 1995 06:25:24 GMT 5524 Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT 5525 Content-Length: 1741 5526 Content-Type: multipart/byteranges; boundary=THIS_STRING_SEPARATES 5528 --THIS_STRING_SEPARATES 5529 Content-Type: application/pdf 5530 Content-Range: bytes 500-999/8000 5532 ...the first range... 5533 --THIS_STRING_SEPARATES 5534 Content-Type: application/pdf 5535 Content-Range: bytes 7000-7999/8000 5537 ...the second range 5538 --THIS_STRING_SEPARATES-- 5540 When multiple ranges are requested, a server MAY coalesce any of the 5541 ranges that overlap, or that are separated by a gap that is smaller 5542 than the overhead of sending multiple parts, regardless of the order 5543 in which the corresponding range-spec appeared in the received Range 5544 header field. Since the typical overhead between parts of a 5545 multipart/byteranges payload is around 80 bytes, depending on the 5546 selected representation's media type and the chosen boundary 5547 parameter length, it can be less efficient to transfer many small 5548 disjoint parts than it is to transfer the entire selected 5549 representation. 5551 A server MUST NOT generate a multipart response to a request for a 5552 single range, since a client that does not request multiple parts 5553 might not support multipart responses. However, a server MAY 5554 generate a multipart/byteranges payload with only a single body part 5555 if multiple ranges were requested and only one range was found to be 5556 satisfiable or only one range remained after coalescing. A client 5557 that cannot process a multipart/byteranges response MUST NOT generate 5558 a request that asks for multiple ranges. 5560 When a multipart response payload is generated, the server SHOULD 5561 send the parts in the same order that the corresponding range-spec 5562 appeared in the received Range header field, excluding those ranges 5563 that were deemed unsatisfiable or that were coalesced into other 5564 ranges. A client that receives a multipart response MUST inspect the 5565 Content-Range header field present in each body part in order to 5566 determine which range is contained in that body part; a client cannot 5567 rely on receiving the same ranges that it requested, nor the same 5568 order that it requested. 5570 9.3.7.3. Combining Parts 5572 A response might transfer only a subrange of a representation if the 5573 connection closed prematurely or if the request used one or more 5574 Range specifications. After several such transfers, a client might 5575 have received several ranges of the same representation. These 5576 ranges can only be safely combined if they all have in common the 5577 same strong validator (Section 10.2.1). 5579 A client that has received multiple partial responses to GET requests 5580 on a target resource MAY combine those responses into a larger 5581 continuous range if they share the same strong validator. 5583 If the most recent response is an incomplete 200 (OK) response, then 5584 the header fields of that response are used for any combined response 5585 and replace those of the matching stored responses. 5587 If the most recent response is a 206 (Partial Content) response and 5588 at least one of the matching stored responses is a 200 (OK), then the 5589 combined response header fields consist of the most recent 200 5590 response's header fields. If all of the matching stored responses 5591 are 206 responses, then the stored response with the most recent 5592 header fields is used as the source of header fields for the combined 5593 response, except that the client MUST use other header fields 5594 provided in the new response, aside from Content-Range, to replace 5595 all instances of the corresponding header fields in the stored 5596 response. 5598 The combined response message body consists of the union of partial 5599 content ranges in the new response and each of the selected 5600 responses. If the union consists of the entire range of the 5601 representation, then the client MUST process the combined response as 5602 if it were a complete 200 (OK) response, including a Content-Length 5603 header field that reflects the complete length. Otherwise, the 5604 client MUST process the set of continuous ranges as one of the 5605 following: an incomplete 200 (OK) response if the combined response 5606 is a prefix of the representation, a single 206 (Partial Content) 5607 response containing a multipart/byteranges body, or multiple 206 5608 (Partial Content) responses, each with one continuous range that is 5609 indicated by a Content-Range header field. 5611 9.4. Redirection 3xx 5613 The 3xx (Redirection) class of status code indicates that further 5614 action needs to be taken by the user agent in order to fulfill the 5615 request. If a Location header field (Section 10.1.2) is provided, 5616 the user agent MAY automatically redirect its request to the URI 5617 referenced by the Location field value, even if the specific status 5618 code is not understood. Automatic redirection needs to be done with 5619 care for methods not known to be safe, as defined in Section 7.2.1, 5620 since the user might not wish to redirect an unsafe request. 5622 There are several types of redirects: 5624 1. Redirects that indicate the resource might be available at a 5625 different URI, as provided by the Location field, as in the 5626 status codes 301 (Moved Permanently), 302 (Found), 307 (Temporary 5627 Redirect), and 308 (Permanent Redirect). 5629 2. Redirection that offers a choice of matching resources, each 5630 capable of representing the original request target, as in the 5631 300 (Multiple Choices) status code. 5633 3. Redirection to a different resource, identified by the Location 5634 field, that can represent an indirect response to the request, as 5635 in the 303 (See Other) status code. 5637 4. Redirection to a previously cached result, as in the 304 (Not 5638 Modified) status code. 5640 Note: In HTTP/1.0, the status codes 301 (Moved Permanently) and 5641 302 (Found) were defined for the first type of redirect 5642 ([RFC1945], Section 9.3). Early user agents split on whether the 5643 method applied to the redirect target would be the same as the 5644 original request or would be rewritten as GET. Although HTTP 5645 originally defined the former semantics for 301 and 302 (to match 5646 its original implementation at CERN), and defined 303 (See Other) 5647 to match the latter semantics, prevailing practice gradually 5648 converged on the latter semantics for 301 and 302 as well. The 5649 first revision of HTTP/1.1 added 307 (Temporary Redirect) to 5650 indicate the former semantics of 302 without being impacted by 5651 divergent practice. For the same reason, 308 (Permanent Redirect) 5652 was later on added in [RFC7538] to match 301. Over 10 years 5653 later, most user agents still do method rewriting for 301 and 302; 5654 therefore, [RFC7231] made that behavior conformant when the 5655 original request is POST. 5657 A client SHOULD detect and intervene in cyclical redirections (i.e., 5658 "infinite" redirection loops). 5660 Note: An earlier version of this specification recommended a 5661 maximum of five redirections ([RFC2068], Section 10.3). Content 5662 developers need to be aware that some clients might implement such 5663 a fixed limitation. 5665 9.4.1. 300 Multiple Choices 5667 The 300 (Multiple Choices) status code indicates that the target 5668 resource has more than one representation, each with its own more 5669 specific identifier, and information about the alternatives is being 5670 provided so that the user (or user agent) can select a preferred 5671 representation by redirecting its request to one or more of those 5672 identifiers. In other words, the server desires that the user agent 5673 engage in reactive negotiation to select the most appropriate 5674 representation(s) for its needs (Section 6.4). 5676 If the server has a preferred choice, the server SHOULD generate a 5677 Location header field containing a preferred choice's URI reference. 5678 The user agent MAY use the Location field value for automatic 5679 redirection. 5681 For request methods other than HEAD, the server SHOULD generate a 5682 payload in the 300 response containing a list of representation 5683 metadata and URI reference(s) from which the user or user agent can 5684 choose the one most preferred. The user agent MAY make a selection 5685 from that list automatically if it understands the provided media 5686 type. A specific format for automatic selection is not defined by 5687 this specification because HTTP tries to remain orthogonal to the 5688 definition of its payloads. In practice, the representation is 5689 provided in some easily parsed format believed to be acceptable to 5690 the user agent, as determined by shared design or content 5691 negotiation, or in some commonly accepted hypertext format. 5693 A 300 response is heuristically cacheable; i.e., unless otherwise 5694 indicated by the method definition or explicit cache controls (see 5695 Section 4.2.2 of [Caching]). 5697 Note: The original proposal for the 300 status code defined the 5698 URI header field as providing a list of alternative 5699 representations, such that it would be usable for 200, 300, and 5700 406 responses and be transferred in responses to the HEAD method. 5701 However, lack of deployment and disagreement over syntax led to 5702 both URI and Alternates (a subsequent proposal) being dropped from 5703 this specification. It is possible to communicate the list using 5704 a set of Link header fields [RFC8288], each with a relationship of 5705 "alternate", though deployment is a chicken-and-egg problem. 5707 9.4.2. 301 Moved Permanently 5709 The 301 (Moved Permanently) status code indicates that the target 5710 resource has been assigned a new permanent URI and any future 5711 references to this resource ought to use one of the enclosed URIs. 5712 Clients with link-editing capabilities ought to automatically re-link 5713 references to the effective request URI to one or more of the new 5714 references sent by the server, where possible. 5716 The server SHOULD generate a Location header field in the response 5717 containing a preferred URI reference for the new permanent URI. The 5718 user agent MAY use the Location field value for automatic 5719 redirection. The server's response payload usually contains a short 5720 hypertext note with a hyperlink to the new URI(s). 5722 Note: For historical reasons, a user agent MAY change the request 5723 method from POST to GET for the subsequent request. If this 5724 behavior is undesired, the 308 (Permanent Redirect) status code 5725 can be used instead. 5727 A 301 response is heuristically cacheable; i.e., unless otherwise 5728 indicated by the method definition or explicit cache controls (see 5729 Section 4.2.2 of [Caching]). 5731 9.4.3. 302 Found 5733 The 302 (Found) status code indicates that the target resource 5734 resides temporarily under a different URI. Since the redirection 5735 might be altered on occasion, the client ought to continue to use the 5736 effective request URI for future requests. 5738 The server SHOULD generate a Location header field in the response 5739 containing a URI reference for the different URI. The user agent MAY 5740 use the Location field value for automatic redirection. The server's 5741 response payload usually contains a short hypertext note with a 5742 hyperlink to the different URI(s). 5744 Note: For historical reasons, a user agent MAY change the request 5745 method from POST to GET for the subsequent request. If this 5746 behavior is undesired, the 307 (Temporary Redirect) status code 5747 can be used instead. 5749 9.4.4. 303 See Other 5751 The 303 (See Other) status code indicates that the server is 5752 redirecting the user agent to a different resource, as indicated by a 5753 URI in the Location header field, which is intended to provide an 5754 indirect response to the original request. A user agent can perform 5755 a retrieval request targeting that URI (a GET or HEAD request if 5756 using HTTP), which might also be redirected, and present the eventual 5757 result as an answer to the original request. Note that the new URI 5758 in the Location header field is not considered equivalent to the 5759 effective request URI. 5761 This status code is applicable to any HTTP method. It is primarily 5762 used to allow the output of a POST action to redirect the user agent 5763 to a selected resource, since doing so provides the information 5764 corresponding to the POST response in a form that can be separately 5765 identified, bookmarked, and cached, independent of the original 5766 request. 5768 A 303 response to a GET request indicates that the origin server does 5769 not have a representation of the target resource that can be 5770 transferred by the server over HTTP. However, the Location field 5771 value refers to a resource that is descriptive of the target 5772 resource, such that making a retrieval request on that other resource 5773 might result in a representation that is useful to recipients without 5774 implying that it represents the original target resource. Note that 5775 answers to the questions of what can be represented, what 5776 representations are adequate, and what might be a useful description 5777 are outside the scope of HTTP. 5779 Except for responses to a HEAD request, the representation of a 303 5780 response ought to contain a short hypertext note with a hyperlink to 5781 the same URI reference provided in the Location header field. 5783 9.4.5. 304 Not Modified 5785 The 304 (Not Modified) status code indicates that a conditional GET 5786 or HEAD request has been received and would have resulted in a 200 5787 (OK) response if it were not for the fact that the condition 5788 evaluated to false. In other words, there is no need for the server 5789 to transfer a representation of the target resource because the 5790 request indicates that the client, which made the request 5791 conditional, already has a valid representation; the server is 5792 therefore redirecting the client to make use of that stored 5793 representation as if it were the payload of a 200 (OK) response. 5795 The server generating a 304 response MUST generate any of the 5796 following header fields that would have been sent in a 200 (OK) 5797 response to the same request: Cache-Control, Content-Location, Date, 5798 ETag, Expires, and Vary. 5800 Since the goal of a 304 response is to minimize information transfer 5801 when the recipient already has one or more cached representations, a 5802 sender SHOULD NOT generate representation metadata other than the 5803 above listed fields unless said metadata exists for the purpose of 5804 guiding cache updates (e.g., Last-Modified might be useful if the 5805 response does not have an ETag field). 5807 Requirements on a cache that receives a 304 response are defined in 5808 Section 4.3.4 of [Caching]. If the conditional request originated 5809 with an outbound client, such as a user agent with its own cache 5810 sending a conditional GET to a shared proxy, then the proxy SHOULD 5811 forward the 304 response to that client. 5813 A 304 response cannot contain a message-body; it is always terminated 5814 by the first empty line after the header fields. 5816 9.4.6. 305 Use Proxy 5818 The 305 (Use Proxy) status code was defined in a previous version of 5819 this specification and is now deprecated (Appendix B of [RFC7231]). 5821 9.4.7. 306 (Unused) 5823 The 306 status code was defined in a previous version of this 5824 specification, is no longer used, and the code is reserved. 5826 9.4.8. 307 Temporary Redirect 5828 The 307 (Temporary Redirect) status code indicates that the target 5829 resource resides temporarily under a different URI and the user agent 5830 MUST NOT change the request method if it performs an automatic 5831 redirection to that URI. Since the redirection can change over time, 5832 the client ought to continue using the original effective request URI 5833 for future requests. 5835 The server SHOULD generate a Location header field in the response 5836 containing a URI reference for the different URI. The user agent MAY 5837 use the Location field value for automatic redirection. The server's 5838 response payload usually contains a short hypertext note with a 5839 hyperlink to the different URI(s). 5841 9.4.9. 308 Permanent Redirect 5843 The 308 (Permanent Redirect) status code indicates that the target 5844 resource has been assigned a new permanent URI and any future 5845 references to this resource ought to use one of the enclosed URIs. 5846 Clients with link editing capabilities ought to automatically re-link 5847 references to the effective request URI to one or more of the new 5848 references sent by the server, where possible. 5850 The server SHOULD generate a Location header field in the response 5851 containing a preferred URI reference for the new permanent URI. The 5852 user agent MAY use the Location field value for automatic 5853 redirection. The server's response payload usually contains a short 5854 hypertext note with a hyperlink to the new URI(s). 5856 A 308 response is heuristically cacheable; i.e., unless otherwise 5857 indicated by the method definition or explicit cache controls (see 5858 Section 4.2.2 of [Caching]). 5860 Note: This status code is much younger (June 2014) than its 5861 sibling codes, and thus might not be recognized everywhere. See 5862 Section 4 of [RFC7538] for deployment considerations. 5864 9.5. Client Error 4xx 5866 The 4xx (Client Error) class of status code indicates that the client 5867 seems to have erred. Except when responding to a HEAD request, the 5868 server SHOULD send a representation containing an explanation of the 5869 error situation, and whether it is a temporary or permanent 5870 condition. These status codes are applicable to any request method. 5871 User agents SHOULD display any included representation to the user. 5873 9.5.1. 400 Bad Request 5875 The 400 (Bad Request) status code indicates that the server cannot or 5876 will not process the request due to something that is perceived to be 5877 a client error (e.g., malformed request syntax, invalid request 5878 message framing, or deceptive request routing). 5880 9.5.2. 401 Unauthorized 5882 The 401 (Unauthorized) status code indicates that the request has not 5883 been applied because it lacks valid authentication credentials for 5884 the target resource. The server generating a 401 response MUST send 5885 a WWW-Authenticate header field (Section 10.3.1) containing at least 5886 one challenge applicable to the target resource. 5888 If the request included authentication credentials, then the 401 5889 response indicates that authorization has been refused for those 5890 credentials. The user agent MAY repeat the request with a new or 5891 replaced Authorization header field (Section 8.5.3). If the 401 5892 response contains the same challenge as the prior response, and the 5893 user agent has already attempted authentication at least once, then 5894 the user agent SHOULD present the enclosed representation to the 5895 user, since it usually contains relevant diagnostic information. 5897 9.5.3. 402 Payment Required 5899 The 402 (Payment Required) status code is reserved for future use. 5901 9.5.4. 403 Forbidden 5903 The 403 (Forbidden) status code indicates that the server understood 5904 the request but refuses to fulfill it. A server that wishes to make 5905 public why the request has been forbidden can describe that reason in 5906 the response payload (if any). 5908 If authentication credentials were provided in the request, the 5909 server considers them insufficient to grant access. The client 5910 SHOULD NOT automatically repeat the request with the same 5911 credentials. The client MAY repeat the request with new or different 5912 credentials. However, a request might be forbidden for reasons 5913 unrelated to the credentials. 5915 An origin server that wishes to "hide" the current existence of a 5916 forbidden target resource MAY instead respond with a status code of 5917 404 (Not Found). 5919 9.5.5. 404 Not Found 5921 The 404 (Not Found) status code indicates that the origin server did 5922 not find a current representation for the target resource or is not 5923 willing to disclose that one exists. A 404 status code does not 5924 indicate whether this lack of representation is temporary or 5925 permanent; the 410 (Gone) status code is preferred over 404 if the 5926 origin server knows, presumably through some configurable means, that 5927 the condition is likely to be permanent. 5929 A 404 response is heuristically cacheable; i.e., unless otherwise 5930 indicated by the method definition or explicit cache controls (see 5931 Section 4.2.2 of [Caching]). 5933 9.5.6. 405 Method Not Allowed 5935 The 405 (Method Not Allowed) status code indicates that the method 5936 received in the request-line is known by the origin server but not 5937 supported by the target resource. The origin server MUST generate an 5938 Allow header field in a 405 response containing a list of the target 5939 resource's currently supported methods. 5941 A 405 response is heuristically cacheable; i.e., unless otherwise 5942 indicated by the method definition or explicit cache controls (see 5943 Section 4.2.2 of [Caching]). 5945 9.5.7. 406 Not Acceptable 5947 The 406 (Not Acceptable) status code indicates that the target 5948 resource does not have a current representation that would be 5949 acceptable to the user agent, according to the proactive negotiation 5950 header fields received in the request (Section 8.4), and the server 5951 is unwilling to supply a default representation. 5953 The server SHOULD generate a payload containing a list of available 5954 representation characteristics and corresponding resource identifiers 5955 from which the user or user agent can choose the one most 5956 appropriate. A user agent MAY automatically select the most 5957 appropriate choice from that list. However, this specification does 5958 not define any standard for such automatic selection, as described in 5959 Section 9.4.1. 5961 9.5.8. 407 Proxy Authentication Required 5963 The 407 (Proxy Authentication Required) status code is similar to 401 5964 (Unauthorized), but it indicates that the client needs to 5965 authenticate itself in order to use a proxy. The proxy MUST send a 5966 Proxy-Authenticate header field (Section 10.3.2) containing a 5967 challenge applicable to that proxy for the target resource. The 5968 client MAY repeat the request with a new or replaced Proxy- 5969 Authorization header field (Section 8.5.4). 5971 9.5.9. 408 Request Timeout 5973 The 408 (Request Timeout) status code indicates that the server did 5974 not receive a complete request message within the time that it was 5975 prepared to wait. A server SHOULD send the "close" connection option 5976 (Section 9.1 of [Messaging]) in the response, since 408 implies that 5977 the server has decided to close the connection rather than continue 5978 waiting. If the client has an outstanding request in transit, the 5979 client MAY repeat that request on a new connection. 5981 9.5.10. 409 Conflict 5983 The 409 (Conflict) status code indicates that the request could not 5984 be completed due to a conflict with the current state of the target 5985 resource. This code is used in situations where the user might be 5986 able to resolve the conflict and resubmit the request. The server 5987 SHOULD generate a payload that includes enough information for a user 5988 to recognize the source of the conflict. 5990 Conflicts are most likely to occur in response to a PUT request. For 5991 example, if versioning were being used and the representation being 5992 PUT included changes to a resource that conflict with those made by 5993 an earlier (third-party) request, the origin server might use a 409 5994 response to indicate that it can't complete the request. In this 5995 case, the response representation would likely contain information 5996 useful for merging the differences based on the revision history. 5998 9.5.11. 410 Gone 6000 The 410 (Gone) status code indicates that access to the target 6001 resource is no longer available at the origin server and that this 6002 condition is likely to be permanent. If the origin server does not 6003 know, or has no facility to determine, whether or not the condition 6004 is permanent, the status code 404 (Not Found) ought to be used 6005 instead. 6007 The 410 response is primarily intended to assist the task of web 6008 maintenance by notifying the recipient that the resource is 6009 intentionally unavailable and that the server owners desire that 6010 remote links to that resource be removed. Such an event is common 6011 for limited-time, promotional services and for resources belonging to 6012 individuals no longer associated with the origin server's site. It 6013 is not necessary to mark all permanently unavailable resources as 6014 "gone" or to keep the mark for any length of time -- that is left to 6015 the discretion of the server owner. 6017 A 410 response is heuristically cacheable; i.e., unless otherwise 6018 indicated by the method definition or explicit cache controls (see 6019 Section 4.2.2 of [Caching]). 6021 9.5.12. 411 Length Required 6023 The 411 (Length Required) status code indicates that the server 6024 refuses to accept the request without a defined Content-Length 6025 (Section 6.2.4). The client MAY repeat the request if it adds a 6026 valid Content-Length header field containing the length of the 6027 message body in the request message. 6029 9.5.13. 412 Precondition Failed 6031 The 412 (Precondition Failed) status code indicates that one or more 6032 conditions given in the request header fields evaluated to false when 6033 tested on the server. This response status code allows the client to 6034 place preconditions on the current resource state (its current 6035 representations and metadata) and, thus, prevent the request method 6036 from being applied if the target resource is in an unexpected state. 6038 9.5.14. 413 Payload Too Large 6040 The 413 (Payload Too Large) status code indicates that the server is 6041 refusing to process a request because the request payload is larger 6042 than the server is willing or able to process. The server MAY close 6043 the connection to prevent the client from continuing the request. 6045 If the condition is temporary, the server SHOULD generate a Retry- 6046 After header field to indicate that it is temporary and after what 6047 time the client MAY try again. 6049 9.5.15. 414 URI Too Long 6051 The 414 (URI Too Long) status code indicates that the server is 6052 refusing to service the request because the request-target 6053 (Section 3.2 of [Messaging]) is longer than the server is willing to 6054 interpret. This rare condition is only likely to occur when a client 6055 has improperly converted a POST request to a GET request with long 6056 query information, when the client has descended into a "black hole" 6057 of redirection (e.g., a redirected URI prefix that points to a suffix 6058 of itself) or when the server is under attack by a client attempting 6059 to exploit potential security holes. 6061 A 414 response is heuristically cacheable; i.e., unless otherwise 6062 indicated by the method definition or explicit cache controls (see 6063 Section 4.2.2 of [Caching]). 6065 9.5.16. 415 Unsupported Media Type 6067 The 415 (Unsupported Media Type) status code indicates that the 6068 origin server is refusing to service the request because the payload 6069 is in a format not supported by this method on the target resource. 6070 The format problem might be due to the request's indicated Content- 6071 Type or Content-Encoding, or as a result of inspecting the data 6072 directly. 6074 9.5.17. 416 Range Not Satisfiable 6076 The 416 (Range Not Satisfiable) status code indicates that none of 6077 the ranges in the request's Range header field (Section 8.3) overlap 6078 the current extent of the selected representation or that the set of 6079 ranges requested has been rejected due to invalid ranges or an 6080 excessive request of small or overlapping ranges. 6082 For byte ranges, failing to overlap the current extent means that the 6083 first-pos of all of the range-spec values were greater than or equal 6084 to the current length of the selected representation. When this 6085 status code is generated in response to a byte-range request, the 6086 sender SHOULD generate a Content-Range header field specifying the 6087 current length of the selected representation (Section 6.3.4). 6089 For example: 6091 HTTP/1.1 416 Range Not Satisfiable 6092 Date: Fri, 20 Jan 2012 15:41:54 GMT 6093 Content-Range: bytes */47022 6095 Note: Because servers are free to ignore Range, many 6096 implementations will simply respond with the entire selected 6097 representation in a 200 (OK) response. That is partly because 6098 most clients are prepared to receive a 200 (OK) to complete the 6099 task (albeit less efficiently) and partly because clients might 6100 not stop making an invalid partial request until they have 6101 received a complete representation. Thus, clients cannot depend 6102 on receiving a 416 (Range Not Satisfiable) response even when it 6103 is most appropriate. 6105 9.5.18. 417 Expectation Failed 6107 The 417 (Expectation Failed) status code indicates that the 6108 expectation given in the request's Expect header field 6109 (Section 8.1.1) could not be met by at least one of the inbound 6110 servers. 6112 9.5.19. 418 (Unused) 6114 [RFC2324] was an April 1 RFC that lampooned the various ways HTTP was 6115 abused; one such abuse was the definition of an application-specific 6116 418 status code. In the intervening years, this status code has been 6117 widely implemented as an "Easter Egg", and therefore is effectively 6118 consumed by this use. 6120 Therefore, the 418 status code is reserved in the IANA HTTP Status 6121 Code registry. This indicates that the status code cannot be 6122 assigned to other applications currently. If future circumstances 6123 require its use (e.g., exhaustion of 4NN status codes), it can be re- 6124 assigned to another use. 6126 9.5.20. 422 Unprocessable Payload 6128 The 422 (Unprocessable Payload) status code indicates that the server 6129 understands the content type of the request payload (hence a 415 6130 (Unsupported Media Type) status code is inappropriate), and the 6131 syntax of the request payload is correct, but was unable to process 6132 the contained instructions. For example, this status code can be 6133 sent if an XML request payload contains well-formed (i.e., 6134 syntactically correct), but semantically erroneous XML instructions. 6136 9.5.21. 426 Upgrade Required 6138 The 426 (Upgrade Required) status code indicates that the server 6139 refuses to perform the request using the current protocol but might 6140 be willing to do so after the client upgrades to a different 6141 protocol. The server MUST send an Upgrade header field in a 426 6142 response to indicate the required protocol(s) (Section 9.9 of 6143 [Messaging]). 6145 Example: 6147 HTTP/1.1 426 Upgrade Required 6148 Upgrade: HTTP/3.0 6149 Connection: Upgrade 6150 Content-Length: 53 6151 Content-Type: text/plain 6153 This service requires use of the HTTP/3.0 protocol. 6155 9.6. Server Error 5xx 6157 The 5xx (Server Error) class of status code indicates that the server 6158 is aware that it has erred or is incapable of performing the 6159 requested method. Except when responding to a HEAD request, the 6160 server SHOULD send a representation containing an explanation of the 6161 error situation, and whether it is a temporary or permanent 6162 condition. A user agent SHOULD display any included representation 6163 to the user. These response codes are applicable to any request 6164 method. 6166 9.6.1. 500 Internal Server Error 6168 The 500 (Internal Server Error) status code indicates that the server 6169 encountered an unexpected condition that prevented it from fulfilling 6170 the request. 6172 9.6.2. 501 Not Implemented 6174 The 501 (Not Implemented) status code indicates that the server does 6175 not support the functionality required to fulfill the request. This 6176 is the appropriate response when the server does not recognize the 6177 request method and is not capable of supporting it for any resource. 6179 A 501 response is heuristically cacheable; i.e., unless otherwise 6180 indicated by the method definition or explicit cache controls (see 6181 Section 4.2.2 of [Caching]). 6183 9.6.3. 502 Bad Gateway 6185 The 502 (Bad Gateway) status code indicates that the server, while 6186 acting as a gateway or proxy, received an invalid response from an 6187 inbound server it accessed while attempting to fulfill the request. 6189 9.6.4. 503 Service Unavailable 6191 The 503 (Service Unavailable) status code indicates that the server 6192 is currently unable to handle the request due to a temporary overload 6193 or scheduled maintenance, which will likely be alleviated after some 6194 delay. The server MAY send a Retry-After header field 6195 (Section 10.1.3) to suggest an appropriate amount of time for the 6196 client to wait before retrying the request. 6198 Note: The existence of the 503 status code does not imply that a 6199 server has to use it when becoming overloaded. Some servers might 6200 simply refuse the connection. 6202 9.6.5. 504 Gateway Timeout 6204 The 504 (Gateway Timeout) status code indicates that the server, 6205 while acting as a gateway or proxy, did not receive a timely response 6206 from an upstream server it needed to access in order to complete the 6207 request. 6209 9.6.6. 505 HTTP Version Not Supported 6211 The 505 (HTTP Version Not Supported) status code indicates that the 6212 server does not support, or refuses to support, the major version of 6213 HTTP that was used in the request message. The server is indicating 6214 that it is unable or unwilling to complete the request using the same 6215 major version as the client, as described in Section 3.5, other than 6216 with this error message. The server SHOULD generate a representation 6217 for the 505 response that describes why that version is not supported 6218 and what other protocols are supported by that server. 6220 9.7. Status Code Extensibility 6222 Additional status codes, outside the scope of this specification, 6223 have been specified for use in HTTP. All such status codes ought to 6224 be registered within the "Hypertext Transfer Protocol (HTTP) Status 6225 Code Registry". 6227 9.7.1. Status Code Registry 6229 The "Hypertext Transfer Protocol (HTTP) Status Code Registry", 6230 maintained by IANA at , registers status code numbers. 6233 A registration MUST include the following fields: 6235 o Status Code (3 digits) 6237 o Short Description 6239 o Pointer to specification text 6241 Values to be added to the HTTP status code namespace require IETF 6242 Review (see [RFC8126], Section 4.8). 6244 9.7.2. Considerations for New Status Codes 6246 When it is necessary to express semantics for a response that are not 6247 defined by current status codes, a new status code can be registered. 6248 Status codes are generic; they are potentially applicable to any 6249 resource, not just one particular media type, kind of resource, or 6250 application of HTTP. As such, it is preferred that new status codes 6251 be registered in a document that isn't specific to a single 6252 application. 6254 New status codes are required to fall under one of the categories 6255 defined in Section 9. To allow existing parsers to process the 6256 response message, new status codes cannot disallow a payload, 6257 although they can mandate a zero-length payload body. 6259 Proposals for new status codes that are not yet widely deployed ought 6260 to avoid allocating a specific number for the code until there is 6261 clear consensus that it will be registered; instead, early drafts can 6262 use a notation such as "4NN", or "3N0" .. "3N9", to indicate the 6263 class of the proposed status code(s) without consuming a number 6264 prematurely. 6266 The definition of a new status code ought to explain the request 6267 conditions that would cause a response containing that status code 6268 (e.g., combinations of request header fields and/or method(s)) along 6269 with any dependencies on response header fields (e.g., what fields 6270 are required, what fields can modify the semantics, and what header 6271 field semantics are further refined when used with the new status 6272 code). 6274 The definition of a new status code ought to specify whether or not 6275 it is cacheable. Note that all status codes can be cached if the 6276 response they occur in has explicit freshness information; however, 6277 status codes that are defined as being cacheable are allowed to be 6278 cached without explicit freshness information. Likewise, the 6279 definition of a status code can place constraints upon cache 6280 behavior. See [Caching] for more information. 6282 Finally, the definition of a new status code ought to indicate 6283 whether the payload has any implied association with an identified 6284 resource (Section 6.3.2). 6286 10. Response Header Fields 6288 The response header fields allow the server to pass additional 6289 information about the response beyond what is placed in the status- 6290 line. These header fields give information about the server, about 6291 further access to the target resource, or about related resources. 6293 Although each response header field has a defined meaning, in 6294 general, the precise semantics might be further refined by the 6295 semantics of the request method and/or response status code. 6297 10.1. Control Data 6299 Response header fields can supply control data that supplements the 6300 status code, directs caching, or instructs the client where to go 6301 next. 6303 +-------------------+--------------------------+ 6304 | Header Field Name | Defined in... | 6305 +-------------------+--------------------------+ 6306 | Age | Section 5.1 of [Caching] | 6307 | Cache-Control | Section 5.2 of [Caching] | 6308 | Expires | Section 5.3 of [Caching] | 6309 | Date | Section 10.1.1.2 | 6310 | Location | Section 10.1.2 | 6311 | Retry-After | Section 10.1.3 | 6312 | Vary | Section 10.1.4 | 6313 | Warning | Section 5.5 of [Caching] | 6314 +-------------------+--------------------------+ 6316 10.1.1. Origination Date 6318 10.1.1.1. Date/Time Formats 6320 Prior to 1995, there were three different formats commonly used by 6321 servers to communicate timestamps. For compatibility with old 6322 implementations, all three are defined here. The preferred format is 6323 a fixed-length and single-zone subset of the date and time 6324 specification used by the Internet Message Format [RFC5322]. 6326 HTTP-date = IMF-fixdate / obs-date 6328 An example of the preferred format is 6330 Sun, 06 Nov 1994 08:49:37 GMT ; IMF-fixdate 6332 Examples of the two obsolete formats are 6334 Sunday, 06-Nov-94 08:49:37 GMT ; obsolete RFC 850 format 6335 Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format 6337 A recipient that parses a timestamp value in an HTTP header field 6338 MUST accept all three HTTP-date formats. When a sender generates a 6339 header field that contains one or more timestamps defined as HTTP- 6340 date, the sender MUST generate those timestamps in the IMF-fixdate 6341 format. 6343 An HTTP-date value represents time as an instance of Coordinated 6344 Universal Time (UTC). The first two formats indicate UTC by the 6345 three-letter abbreviation for Greenwich Mean Time, "GMT", a 6346 predecessor of the UTC name; values in the asctime format are assumed 6347 to be in UTC. A sender that generates HTTP-date values from a local 6348 clock ought to use NTP ([RFC5905]) or some similar protocol to 6349 synchronize its clock to UTC. 6351 Preferred format: 6353 IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT 6354 ; fixed length/zone/capitalization subset of the format 6355 ; see Section 3.3 of [RFC5322] 6357 day-name = %s"Mon" / %s"Tue" / %s"Wed" 6358 / %s"Thu" / %s"Fri" / %s"Sat" / %s"Sun" 6360 date1 = day SP month SP year 6361 ; e.g., 02 Jun 1982 6363 day = 2DIGIT 6364 month = %s"Jan" / %s"Feb" / %s"Mar" / %s"Apr" 6365 / %s"May" / %s"Jun" / %s"Jul" / %s"Aug" 6366 / %s"Sep" / %s"Oct" / %s"Nov" / %s"Dec" 6367 year = 4DIGIT 6369 GMT = %s"GMT" 6371 time-of-day = hour ":" minute ":" second 6372 ; 00:00:00 - 23:59:60 (leap second) 6374 hour = 2DIGIT 6375 minute = 2DIGIT 6376 second = 2DIGIT 6378 Obsolete formats: 6380 obs-date = rfc850-date / asctime-date 6382 rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT 6383 date2 = day "-" month "-" 2DIGIT 6384 ; e.g., 02-Jun-82 6386 day-name-l = %s"Monday" / %s"Tuesday" / %s"Wednesday" 6387 / %s"Thursday" / %s"Friday" / %s"Saturday" / %s"Sunday" 6389 asctime-date = day-name SP date3 SP time-of-day SP year 6390 date3 = month SP ( 2DIGIT / ( SP 1DIGIT )) 6391 ; e.g., Jun 2 6393 HTTP-date is case sensitive. A sender MUST NOT generate additional 6394 whitespace in an HTTP-date beyond that specifically included as SP in 6395 the grammar. The semantics of day-name, day, month, year, and time- 6396 of-day are the same as those defined for the Internet Message Format 6397 constructs with the corresponding name ([RFC5322], Section 3.3). 6399 Recipients of a timestamp value in rfc850-date format, which uses a 6400 two-digit year, MUST interpret a timestamp that appears to be more 6401 than 50 years in the future as representing the most recent year in 6402 the past that had the same last two digits. 6404 Recipients of timestamp values are encouraged to be robust in parsing 6405 timestamps unless otherwise restricted by the field definition. For 6406 example, messages are occasionally forwarded over HTTP from a non- 6407 HTTP source that might generate any of the date and time 6408 specifications defined by the Internet Message Format. 6410 Note: HTTP requirements for the date/time stamp format apply only 6411 to their usage within the protocol stream. Implementations are 6412 not required to use these formats for user presentation, request 6413 logging, etc. 6415 10.1.1.2. Date 6417 The "Date" header field represents the date and time at which the 6418 message was originated, having the same semantics as the Origination 6419 Date Field (orig-date) defined in Section 3.6.1 of [RFC5322]. The 6420 field value is an HTTP-date, as defined in Section 10.1.1.1. 6422 Date = HTTP-date 6424 An example is 6426 Date: Tue, 15 Nov 1994 08:12:31 GMT 6428 When a Date header field is generated, the sender SHOULD generate its 6429 field value as the best available approximation of the date and time 6430 of message generation. In theory, the date ought to represent the 6431 moment just before the payload is generated. In practice, the date 6432 can be generated at any time during message origination. 6434 An origin server MUST NOT send a Date header field if it does not 6435 have a clock capable of providing a reasonable approximation of the 6436 current instance in Coordinated Universal Time. An origin server MAY 6437 send a Date header field if the response is in the 1xx 6438 (Informational) or 5xx (Server Error) class of status codes. An 6439 origin server MUST send a Date header field in all other cases. 6441 A recipient with a clock that receives a response message without a 6442 Date header field MUST record the time it was received and append a 6443 corresponding Date header field to the message's header section if it 6444 is cached or forwarded downstream. 6446 A user agent MAY send a Date header field in a request, though 6447 generally will not do so unless it is believed to convey useful 6448 information to the server. For example, custom applications of HTTP 6449 might convey a Date if the server is expected to adjust its 6450 interpretation of the user's request based on differences between the 6451 user agent and server clocks. 6453 10.1.2. Location 6455 The "Location" header field is used in some responses to refer to a 6456 specific resource in relation to the response. The type of 6457 relationship is defined by the combination of request method and 6458 status code semantics. 6460 Location = URI-reference 6462 The field value consists of a single URI-reference. When it has the 6463 form of a relative reference ([RFC3986], Section 4.2), the final 6464 value is computed by resolving it against the effective request URI 6465 ([RFC3986], Section 5). 6467 For 201 (Created) responses, the Location value refers to the primary 6468 resource created by the request. For 3xx (Redirection) responses, 6469 the Location value refers to the preferred target resource for 6470 automatically redirecting the request. 6472 If the Location value provided in a 3xx (Redirection) response does 6473 not have a fragment component, a user agent MUST process the 6474 redirection as if the value inherits the fragment component of the 6475 URI reference used to generate the request target (i.e., the 6476 redirection inherits the original reference's fragment, if any). 6478 For example, a GET request generated for the URI reference 6479 "http://www.example.org/~tim" might result in a 303 (See Other) 6480 response containing the header field: 6482 Location: /People.html#tim 6484 which suggests that the user agent redirect to 6485 "http://www.example.org/People.html#tim" 6487 Likewise, a GET request generated for the URI reference 6488 "http://www.example.org/index.html#larry" might result in a 301 6489 (Moved Permanently) response containing the header field: 6491 Location: http://www.example.net/index.html 6493 which suggests that the user agent redirect to 6494 "http://www.example.net/index.html#larry", preserving the original 6495 fragment identifier. 6497 There are circumstances in which a fragment identifier in a Location 6498 value would not be appropriate. For example, the Location header 6499 field in a 201 (Created) response is supposed to provide a URI that 6500 is specific to the created resource. 6502 Note: Some recipients attempt to recover from Location fields that 6503 are not valid URI references. This specification does not mandate 6504 or define such processing, but does allow it for the sake of 6505 robustness. 6507 Note: The Content-Location header field (Section 6.2.5) differs 6508 from Location in that the Content-Location refers to the most 6509 specific resource corresponding to the enclosed representation. 6510 It is therefore possible for a response to contain both the 6511 Location and Content-Location header fields. 6513 10.1.3. Retry-After 6515 Servers send the "Retry-After" header field to indicate how long the 6516 user agent ought to wait before making a follow-up request. When 6517 sent with a 503 (Service Unavailable) response, Retry-After indicates 6518 how long the service is expected to be unavailable to the client. 6519 When sent with any 3xx (Redirection) response, Retry-After indicates 6520 the minimum time that the user agent is asked to wait before issuing 6521 the redirected request. 6523 The value of this field can be either an HTTP-date or a number of 6524 seconds to delay after the response is received. 6526 Retry-After = HTTP-date / delay-seconds 6528 A delay-seconds value is a non-negative decimal integer, representing 6529 time in seconds. 6531 delay-seconds = 1*DIGIT 6533 Two examples of its use are 6535 Retry-After: Fri, 31 Dec 1999 23:59:59 GMT 6536 Retry-After: 120 6538 In the latter example, the delay is 2 minutes. 6540 10.1.4. Vary 6542 The "Vary" header field in a response describes what parts of a 6543 request message, aside from the method, Host header field, and 6544 request target, might influence the origin server's process for 6545 selecting and representing this response. The value consists of 6546 either a single asterisk ("*") or a list of header field names (case- 6547 insensitive). 6549 Vary = "*" / 1#field-name 6551 A Vary field value of "*" signals that anything about the request 6552 might play a role in selecting the response representation, possibly 6553 including elements outside the message syntax (e.g., the client's 6554 network address). A recipient will not be able to determine whether 6555 this response is appropriate for a later request without forwarding 6556 the request to the origin server. A proxy MUST NOT generate a Vary 6557 field with a "*" value. 6559 A Vary field value consisting of a comma-separated list of names 6560 indicates that the named request header fields, known as the 6561 selecting header fields, might have a role in selecting the 6562 representation. The potential selecting header fields are not 6563 limited to those defined by this specification. 6565 For example, a response that contains 6567 Vary: accept-encoding, accept-language 6569 indicates that the origin server might have used the request's 6570 Accept-Encoding and Accept-Language fields (or lack thereof) as 6571 determining factors while choosing the content for this response. 6573 An origin server might send Vary with a list of fields for two 6574 purposes: 6576 1. To inform cache recipients that they MUST NOT use this response 6577 to satisfy a later request unless the later request has the same 6578 values for the listed fields as the original request (Section 4.1 6579 of [Caching]). In other words, Vary expands the cache key 6580 required to match a new request to the stored cache entry. 6582 2. To inform user agent recipients that this response is subject to 6583 content negotiation (Section 8.4) and that a different 6584 representation might be sent in a subsequent request if 6585 additional parameters are provided in the listed header fields 6586 (proactive negotiation). 6588 An origin server SHOULD send a Vary header field when its algorithm 6589 for selecting a representation varies based on aspects of the request 6590 message other than the method and request target, unless the variance 6591 cannot be crossed or the origin server has been deliberately 6592 configured to prevent cache transparency. For example, there is no 6593 need to send the Authorization field name in Vary because reuse 6594 across users is constrained by the field definition (Section 8.5.3). 6595 Likewise, an origin server might use Cache-Control response 6596 directives (Section 5.2 of [Caching]) to supplant Vary if it 6597 considers the variance less significant than the performance cost of 6598 Vary's impact on caching. 6600 10.2. Validators 6602 Validator header fields convey metadata about the selected 6603 representation (Section 6). In responses to safe requests, validator 6604 fields describe the selected representation chosen by the origin 6605 server while handling the response. Note that, depending on the 6606 status code semantics, the selected representation for a given 6607 response is not necessarily the same as the representation enclosed 6608 as response payload. 6610 In a successful response to a state-changing request, validator 6611 fields describe the new representation that has replaced the prior 6612 selected representation as a result of processing the request. 6614 For example, an ETag header field in a 201 (Created) response 6615 communicates the entity-tag of the newly created resource's 6616 representation, so that it can be used in later conditional requests 6617 to prevent the "lost update" problem Section 8.2. 6619 +-------------------+----------------+ 6620 | Header Field Name | Defined in... | 6621 +-------------------+----------------+ 6622 | ETag | Section 10.2.3 | 6623 | Last-Modified | Section 10.2.2 | 6624 +-------------------+----------------+ 6626 This specification defines two forms of metadata that are commonly 6627 used to observe resource state and test for preconditions: 6628 modification dates (Section 10.2.2) and opaque entity tags 6629 (Section 10.2.3). Additional metadata that reflects resource state 6630 has been defined by various extensions of HTTP, such as Web 6631 Distributed Authoring and Versioning (WebDAV, [RFC4918]), that are 6632 beyond the scope of this specification. A resource metadata value is 6633 referred to as a "validator" when it is used within a precondition. 6635 10.2.1. Weak versus Strong 6637 Validators come in two flavors: strong or weak. Weak validators are 6638 easy to generate but are far less useful for comparisons. Strong 6639 validators are ideal for comparisons but can be very difficult (and 6640 occasionally impossible) to generate efficiently. Rather than impose 6641 that all forms of resource adhere to the same strength of validator, 6642 HTTP exposes the type of validator in use and imposes restrictions on 6643 when weak validators can be used as preconditions. 6645 A "strong validator" is representation metadata that changes value 6646 whenever a change occurs to the representation data that would be 6647 observable in the payload body of a 200 (OK) response to GET. 6649 A strong validator might change for reasons other than a change to 6650 the representation data, such as when a semantically significant part 6651 of the representation metadata is changed (e.g., Content-Type), but 6652 it is in the best interests of the origin server to only change the 6653 value when it is necessary to invalidate the stored responses held by 6654 remote caches and authoring tools. 6656 Cache entries might persist for arbitrarily long periods, regardless 6657 of expiration times. Thus, a cache might attempt to validate an 6658 entry using a validator that it obtained in the distant past. A 6659 strong validator is unique across all versions of all representations 6660 associated with a particular resource over time. However, there is 6661 no implication of uniqueness across representations of different 6662 resources (i.e., the same strong validator might be in use for 6663 representations of multiple resources at the same time and does not 6664 imply that those representations are equivalent). 6666 There are a variety of strong validators used in practice. The best 6667 are based on strict revision control, wherein each change to a 6668 representation always results in a unique node name and revision 6669 identifier being assigned before the representation is made 6670 accessible to GET. A collision-resistant hash function applied to 6671 the representation data is also sufficient if the data is available 6672 prior to the response header fields being sent and the digest does 6673 not need to be recalculated every time a validation request is 6674 received. However, if a resource has distinct representations that 6675 differ only in their metadata, such as might occur with content 6676 negotiation over media types that happen to share the same data 6677 format, then the origin server needs to incorporate additional 6678 information in the validator to distinguish those representations. 6680 In contrast, a "weak validator" is representation metadata that might 6681 not change for every change to the representation data. This 6682 weakness might be due to limitations in how the value is calculated, 6683 such as clock resolution, an inability to ensure uniqueness for all 6684 possible representations of the resource, or a desire of the resource 6685 owner to group representations by some self-determined set of 6686 equivalency rather than unique sequences of data. An origin server 6687 SHOULD change a weak entity-tag whenever it considers prior 6688 representations to be unacceptable as a substitute for the current 6689 representation. In other words, a weak entity-tag ought to change 6690 whenever the origin server wants caches to invalidate old responses. 6692 For example, the representation of a weather report that changes in 6693 content every second, based on dynamic measurements, might be grouped 6694 into sets of equivalent representations (from the origin server's 6695 perspective) with the same weak validator in order to allow cached 6696 representations to be valid for a reasonable period of time (perhaps 6697 adjusted dynamically based on server load or weather quality). 6698 Likewise, a representation's modification time, if defined with only 6699 one-second resolution, might be a weak validator if it is possible 6700 for the representation to be modified twice during a single second 6701 and retrieved between those modifications. 6703 Likewise, a validator is weak if it is shared by two or more 6704 representations of a given resource at the same time, unless those 6705 representations have identical representation data. For example, if 6706 the origin server sends the same validator for a representation with 6707 a gzip content coding applied as it does for a representation with no 6708 content coding, then that validator is weak. However, two 6709 simultaneous representations might share the same strong validator if 6710 they differ only in the representation metadata, such as when two 6711 different media types are available for the same representation data. 6713 Strong validators are usable for all conditional requests, including 6714 cache validation, partial content ranges, and "lost update" 6715 avoidance. Weak validators are only usable when the client does not 6716 require exact equality with previously obtained representation data, 6717 such as when validating a cache entry or limiting a web traversal to 6718 recent changes. 6720 10.2.2. Last-Modified 6722 The "Last-Modified" header field in a response provides a timestamp 6723 indicating the date and time at which the origin server believes the 6724 selected representation was last modified, as determined at the 6725 conclusion of handling the request. 6727 Last-Modified = HTTP-date 6729 An example of its use is 6731 Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT 6733 10.2.2.1. Generation 6735 An origin server SHOULD send Last-Modified for any selected 6736 representation for which a last modification date can be reasonably 6737 and consistently determined, since its use in conditional requests 6738 and evaluating cache freshness ([Caching]) results in a substantial 6739 reduction of HTTP traffic on the Internet and can be a significant 6740 factor in improving service scalability and reliability. 6742 A representation is typically the sum of many parts behind the 6743 resource interface. The last-modified time would usually be the most 6744 recent time that any of those parts were changed. How that value is 6745 determined for any given resource is an implementation detail beyond 6746 the scope of this specification. What matters to HTTP is how 6747 recipients of the Last-Modified header field can use its value to 6748 make conditional requests and test the validity of locally cached 6749 responses. 6751 An origin server SHOULD obtain the Last-Modified value of the 6752 representation as close as possible to the time that it generates the 6753 Date field value for its response. This allows a recipient to make 6754 an accurate assessment of the representation's modification time, 6755 especially if the representation changes near the time that the 6756 response is generated. 6758 An origin server with a clock MUST NOT send a Last-Modified date that 6759 is later than the server's time of message origination (Date). If 6760 the last modification time is derived from implementation-specific 6761 metadata that evaluates to some time in the future, according to the 6762 origin server's clock, then the origin server MUST replace that value 6763 with the message origination date. This prevents a future 6764 modification date from having an adverse impact on cache validation. 6766 An origin server without a clock MUST NOT assign Last-Modified values 6767 to a response unless these values were associated with the resource 6768 by some other system or user with a reliable clock. 6770 10.2.2.2. Comparison 6772 A Last-Modified time, when used as a validator in a request, is 6773 implicitly weak unless it is possible to deduce that it is strong, 6774 using the following rules: 6776 o The validator is being compared by an origin server to the actual 6777 current validator for the representation and, 6779 o That origin server reliably knows that the associated 6780 representation did not change twice during the second covered by 6781 the presented validator. 6783 or 6785 o The validator is about to be used by a client in an If-Modified- 6786 Since, If-Unmodified-Since, or If-Range header field, because the 6787 client has a cache entry for the associated representation, and 6789 o That cache entry includes a Date value, which gives the time when 6790 the origin server sent the original response, and 6792 o The presented Last-Modified time is at least 60 seconds before the 6793 Date value. 6795 or 6797 o The validator is being compared by an intermediate cache to the 6798 validator stored in its cache entry for the representation, and 6800 o That cache entry includes a Date value, which gives the time when 6801 the origin server sent the original response, and 6803 o The presented Last-Modified time is at least 60 seconds before the 6804 Date value. 6806 This method relies on the fact that if two different responses were 6807 sent by the origin server during the same second, but both had the 6808 same Last-Modified time, then at least one of those responses would 6809 have a Date value equal to its Last-Modified time. The arbitrary 6810 60-second limit guards against the possibility that the Date and 6811 Last-Modified values are generated from different clocks or at 6812 somewhat different times during the preparation of the response. An 6813 implementation MAY use a value larger than 60 seconds, if it is 6814 believed that 60 seconds is too short. 6816 10.2.3. ETag 6818 The "ETag" header field in a response provides the current entity-tag 6819 for the selected representation, as determined at the conclusion of 6820 handling the request. An entity-tag is an opaque validator for 6821 differentiating between multiple representations of the same 6822 resource, regardless of whether those multiple representations are 6823 due to resource state changes over time, content negotiation 6824 resulting in multiple representations being valid at the same time, 6825 or both. An entity-tag consists of an opaque quoted string, possibly 6826 prefixed by a weakness indicator. 6828 ETag = entity-tag 6830 entity-tag = [ weak ] opaque-tag 6831 weak = %s"W/" 6832 opaque-tag = DQUOTE *etagc DQUOTE 6833 etagc = %x21 / %x23-7E / obs-text 6834 ; VCHAR except double quotes, plus obs-text 6836 Note: Previously, opaque-tag was defined to be a quoted-string 6837 ([RFC2616], Section 3.11); thus, some recipients might perform 6838 backslash unescaping. Servers therefore ought to avoid backslash 6839 characters in entity tags. 6841 An entity-tag can be more reliable for validation than a modification 6842 date in situations where it is inconvenient to store modification 6843 dates, where the one-second resolution of HTTP date values is not 6844 sufficient, or where modification dates are not consistently 6845 maintained. 6847 Examples: 6849 ETag: "xyzzy" 6850 ETag: W/"xyzzy" 6851 ETag: "" 6853 An entity-tag can be either a weak or strong validator, with strong 6854 being the default. If an origin server provides an entity-tag for a 6855 representation and the generation of that entity-tag does not satisfy 6856 all of the characteristics of a strong validator (Section 10.2.1), 6857 then the origin server MUST mark the entity-tag as weak by prefixing 6858 its opaque value with "W/" (case-sensitive). 6860 10.2.3.1. Generation 6862 The principle behind entity-tags is that only the service author 6863 knows the implementation of a resource well enough to select the most 6864 accurate and efficient validation mechanism for that resource, and 6865 that any such mechanism can be mapped to a simple sequence of octets 6866 for easy comparison. Since the value is opaque, there is no need for 6867 the client to be aware of how each entity-tag is constructed. 6869 For example, a resource that has implementation-specific versioning 6870 applied to all changes might use an internal revision number, perhaps 6871 combined with a variance identifier for content negotiation, to 6872 accurately differentiate between representations. Other 6873 implementations might use a collision-resistant hash of 6874 representation content, a combination of various file attributes, or 6875 a modification timestamp that has sub-second resolution. 6877 An origin server SHOULD send an ETag for any selected representation 6878 for which detection of changes can be reasonably and consistently 6879 determined, since the entity-tag's use in conditional requests and 6880 evaluating cache freshness ([Caching]) can result in a substantial 6881 reduction of HTTP network traffic and can be a significant factor in 6882 improving service scalability and reliability. 6884 10.2.3.2. Comparison 6886 There are two entity-tag comparison functions, depending on whether 6887 or not the comparison context allows the use of weak validators: 6889 o Strong comparison: two entity-tags are equivalent if both are not 6890 weak and their opaque-tags match character-by-character. 6892 o Weak comparison: two entity-tags are equivalent if their opaque- 6893 tags match character-by-character, regardless of either or both 6894 being tagged as "weak". 6896 The example below shows the results for a set of entity-tag pairs and 6897 both the weak and strong comparison function results: 6899 +--------+--------+-------------------+-----------------+ 6900 | ETag 1 | ETag 2 | Strong Comparison | Weak Comparison | 6901 +--------+--------+-------------------+-----------------+ 6902 | W/"1" | W/"1" | no match | match | 6903 | W/"1" | W/"2" | no match | no match | 6904 | W/"1" | "1" | no match | match | 6905 | "1" | "1" | match | match | 6906 +--------+--------+-------------------+-----------------+ 6908 10.2.3.3. Example: Entity-Tags Varying on Content-Negotiated Resources 6910 Consider a resource that is subject to content negotiation 6911 (Section 6.4), and where the representations sent in response to a 6912 GET request vary based on the Accept-Encoding request header field 6913 (Section 8.4.4): 6915 >> Request: 6917 GET /index HTTP/1.1 6918 Host: www.example.com 6919 Accept-Encoding: gzip 6921 In this case, the response might or might not use the gzip content 6922 coding. If it does not, the response might look like: 6924 >> Response: 6926 HTTP/1.1 200 OK 6927 Date: Fri, 26 Mar 2010 00:05:00 GMT 6928 ETag: "123-a" 6929 Content-Length: 70 6930 Vary: Accept-Encoding 6931 Content-Type: text/plain 6933 Hello World! 6934 Hello World! 6935 Hello World! 6936 Hello World! 6937 Hello World! 6939 An alternative representation that does use gzip content coding would 6940 be: 6942 >> Response: 6944 HTTP/1.1 200 OK 6945 Date: Fri, 26 Mar 2010 00:05:00 GMT 6946 ETag: "123-b" 6947 Content-Length: 43 6948 Vary: Accept-Encoding 6949 Content-Type: text/plain 6950 Content-Encoding: gzip 6952 ...binary data... 6954 Note: Content codings are a property of the representation data, 6955 so a strong entity-tag for a content-encoded representation has to 6956 be distinct from the entity tag of an unencoded representation to 6957 prevent potential conflicts during cache updates and range 6958 requests. In contrast, transfer codings (Section 7 of 6959 [Messaging]) apply only during message transfer and do not result 6960 in distinct entity-tags. 6962 10.2.4. When to Use Entity-Tags and Last-Modified Dates 6964 In 200 (OK) responses to GET or HEAD, an origin server: 6966 o SHOULD send an entity-tag validator unless it is not feasible to 6967 generate one. 6969 o MAY send a weak entity-tag instead of a strong entity-tag, if 6970 performance considerations support the use of weak entity-tags, or 6971 if it is unfeasible to send a strong entity-tag. 6973 o SHOULD send a Last-Modified value if it is feasible to send one. 6975 In other words, the preferred behavior for an origin server is to 6976 send both a strong entity-tag and a Last-Modified value in successful 6977 responses to a retrieval request. 6979 A client: 6981 o MUST send that entity-tag in any cache validation request (using 6982 If-Match or If-None-Match) if an entity-tag has been provided by 6983 the origin server. 6985 o SHOULD send the Last-Modified value in non-subrange cache 6986 validation requests (using If-Modified-Since) if only a Last- 6987 Modified value has been provided by the origin server. 6989 o MAY send the Last-Modified value in subrange cache validation 6990 requests (using If-Unmodified-Since) if only a Last-Modified value 6991 has been provided by an HTTP/1.0 origin server. The user agent 6992 SHOULD provide a way to disable this, in case of difficulty. 6994 o SHOULD send both validators in cache validation requests if both 6995 an entity-tag and a Last-Modified value have been provided by the 6996 origin server. This allows both HTTP/1.0 and HTTP/1.1 caches to 6997 respond appropriately. 6999 10.3. Authentication Challenges 7001 Authentication challenges indicate what mechanisms are available for 7002 the client to provide authentication credentials in future requests. 7004 +--------------------+----------------+ 7005 | Header Field Name | Defined in... | 7006 +--------------------+----------------+ 7007 | WWW-Authenticate | Section 10.3.1 | 7008 | Proxy-Authenticate | Section 10.3.2 | 7009 +--------------------+----------------+ 7010 Furthermore, the "Authentication-Info" and "Proxy-Authentication- 7011 Info" response header fields are defined for use in authentication 7012 schemes that need to return information once the client's 7013 authentication credentials have been accepted. 7015 +---------------------------+----------------+ 7016 | Header Field Name | Defined in... | 7017 +---------------------------+----------------+ 7018 | Authentication-Info | Section 10.3.3 | 7019 | Proxy-Authentication-Info | Section 10.3.4 | 7020 +---------------------------+----------------+ 7022 10.3.1. WWW-Authenticate 7024 The "WWW-Authenticate" header field indicates the authentication 7025 scheme(s) and parameters applicable to the target resource. 7027 WWW-Authenticate = 1#challenge 7029 A server generating a 401 (Unauthorized) response MUST send a WWW- 7030 Authenticate header field containing at least one challenge. A 7031 server MAY generate a WWW-Authenticate header field in other response 7032 messages to indicate that supplying credentials (or different 7033 credentials) might affect the response. 7035 A proxy forwarding a response MUST NOT modify any WWW-Authenticate 7036 fields in that response. 7038 User agents are advised to take special care in parsing the field 7039 value, as it might contain more than one challenge, and each 7040 challenge can contain a comma-separated list of authentication 7041 parameters. Furthermore, the header field itself can occur multiple 7042 times. 7044 For instance: 7046 WWW-Authenticate: Newauth realm="apps", type=1, 7047 title="Login to \"apps\"", Basic realm="simple" 7049 This header field contains two challenges; one for the "Newauth" 7050 scheme with a realm value of "apps", and two additional parameters 7051 "type" and "title", and another one for the "Basic" scheme with a 7052 realm value of "simple". 7054 Note: The challenge grammar production uses the list syntax as 7055 well. Therefore, a sequence of comma, whitespace, and comma can 7056 be considered either as applying to the preceding challenge, or to 7057 be an empty entry in the list of challenges. In practice, this 7058 ambiguity does not affect the semantics of the header field value 7059 and thus is harmless. 7061 10.3.2. Proxy-Authenticate 7063 The "Proxy-Authenticate" header field consists of at least one 7064 challenge that indicates the authentication scheme(s) and parameters 7065 applicable to the proxy for this effective request URI (Section 5.3). 7066 A proxy MUST send at least one Proxy-Authenticate header field in 7067 each 407 (Proxy Authentication Required) response that it generates. 7069 Proxy-Authenticate = 1#challenge 7071 Unlike WWW-Authenticate, the Proxy-Authenticate header field applies 7072 only to the next outbound client on the response chain. This is 7073 because only the client that chose a given proxy is likely to have 7074 the credentials necessary for authentication. However, when multiple 7075 proxies are used within the same administrative domain, such as 7076 office and regional caching proxies within a large corporate network, 7077 it is common for credentials to be generated by the user agent and 7078 passed through the hierarchy until consumed. Hence, in such a 7079 configuration, it will appear as if Proxy-Authenticate is being 7080 forwarded because each proxy will send the same challenge set. 7082 Note that the parsing considerations for WWW-Authenticate apply to 7083 this header field as well; see Section 10.3.1 for details. 7085 10.3.3. Authentication-Info 7087 HTTP authentication schemes can use the Authentication-Info response 7088 header field to communicate information after the client's 7089 authentication credentials have been accepted. This information can 7090 include a finalization message from the server (e.g., it can contain 7091 the server authentication). 7093 The field value is a list of parameters (name/value pairs), using the 7094 "auth-param" syntax defined in Section 8.5.1. This specification 7095 only describes the generic format; authentication schemes using 7096 Authentication-Info will define the individual parameters. The 7097 "Digest" Authentication Scheme, for instance, defines multiple 7098 parameters in Section 3.5 of [RFC7616]. 7100 Authentication-Info = #auth-param 7102 The Authentication-Info header field can be used in any HTTP 7103 response, independently of request method and status code. Its 7104 semantics are defined by the authentication scheme indicated by the 7105 Authorization header field (Section 8.5.3) of the corresponding 7106 request. 7108 A proxy forwarding a response is not allowed to modify the field 7109 value in any way. 7111 Authentication-Info can be used inside trailers (Section 7.1.2 of 7112 [Messaging]) when the authentication scheme explicitly allows this. 7114 10.3.3.1. Parameter Value Format 7116 Parameter values can be expressed either as "token" or as "quoted- 7117 string" (Section 4.2.3). 7119 Authentication scheme definitions need to allow both notations, both 7120 for senders and recipients. This allows recipients to use generic 7121 parsing components, independent of the authentication scheme in use. 7123 For backwards compatibility, authentication scheme definitions can 7124 restrict the format for senders to one of the two variants. This can 7125 be important when it is known that deployed implementations will fail 7126 when encountering one of the two formats. 7128 10.3.4. Proxy-Authentication-Info 7130 The Proxy-Authentication-Info response header field is equivalent to 7131 Authentication-Info, except that it applies to proxy authentication 7132 (Section 8.5.1) and its semantics are defined by the authentication 7133 scheme indicated by the Proxy-Authorization header field 7134 (Section 8.5.4) of the corresponding request: 7136 Proxy-Authentication-Info = #auth-param 7138 However, unlike Authentication-Info, the Proxy-Authentication-Info 7139 header field applies only to the next outbound client on the response 7140 chain. This is because only the client that chose a given proxy is 7141 likely to have the credentials necessary for authentication. 7142 However, when multiple proxies are used within the same 7143 administrative domain, such as office and regional caching proxies 7144 within a large corporate network, it is common for credentials to be 7145 generated by the user agent and passed through the hierarchy until 7146 consumed. Hence, in such a configuration, it will appear as if 7147 Proxy-Authentication-Info is being forwarded because each proxy will 7148 send the same field value. 7150 10.4. Response Context 7152 The remaining response header fields provide more information about 7153 the target resource for potential use in later requests. 7155 +-------------------+----------------+ 7156 | Header Field Name | Defined in... | 7157 +-------------------+----------------+ 7158 | Accept-Ranges | Section 10.4.1 | 7159 | Allow | Section 10.4.2 | 7160 | Server | Section 10.4.3 | 7161 +-------------------+----------------+ 7163 10.4.1. Accept-Ranges 7165 The "Accept-Ranges" header field allows a server to indicate that it 7166 supports range requests for the target resource. 7168 Accept-Ranges = acceptable-ranges 7169 acceptable-ranges = 1#range-unit / "none" 7171 An origin server that supports byte-range requests for a given target 7172 resource MAY send 7174 Accept-Ranges: bytes 7176 to indicate what range units are supported. A client MAY generate 7177 range requests without having received this header field for the 7178 resource involved. Range units are defined in Section 6.1.4. 7180 A server that does not support any kind of range request for the 7181 target resource MAY send 7183 Accept-Ranges: none 7185 to advise the client not to attempt a range request. 7187 10.4.2. Allow 7189 The "Allow" header field lists the set of methods advertised as 7190 supported by the target resource. The purpose of this field is 7191 strictly to inform the recipient of valid request methods associated 7192 with the resource. 7194 Allow = #method 7196 Example of use: 7198 Allow: GET, HEAD, PUT 7200 The actual set of allowed methods is defined by the origin server at 7201 the time of each request. An origin server MUST generate an Allow 7202 field in a 405 (Method Not Allowed) response and MAY do so in any 7203 other response. An empty Allow field value indicates that the 7204 resource allows no methods, which might occur in a 405 response if 7205 the resource has been temporarily disabled by configuration. 7207 A proxy MUST NOT modify the Allow header field -- it does not need to 7208 understand all of the indicated methods in order to handle them 7209 according to the generic message handling rules. 7211 10.4.3. Server 7213 The "Server" header field contains information about the software 7214 used by the origin server to handle the request, which is often used 7215 by clients to help identify the scope of reported interoperability 7216 problems, to work around or tailor requests to avoid particular 7217 server limitations, and for analytics regarding server or operating 7218 system use. An origin server MAY generate a Server field in its 7219 responses. 7221 Server = product *( RWS ( product / comment ) ) 7223 The Server field-value consists of one or more product identifiers, 7224 each followed by zero or more comments (Section 4.2.3.3), which 7225 together identify the origin server software and its significant 7226 subproducts. By convention, the product identifiers are listed in 7227 decreasing order of their significance for identifying the origin 7228 server software. Each product identifier consists of a name and 7229 optional version, as defined in Section 8.6.3. 7231 Example: 7233 Server: CERN/3.0 libwww/2.17 7235 An origin server SHOULD NOT generate a Server field containing 7236 needlessly fine-grained detail and SHOULD limit the addition of 7237 subproducts by third parties. Overly long and detailed Server field 7238 values increase response latency and potentially reveal internal 7239 implementation details that might make it (slightly) easier for 7240 attackers to find and exploit known security holes. 7242 11. Generic Syntax 7244 11.1. Whitespace 7246 This specification uses three rules to denote the use of linear 7247 whitespace: OWS (optional whitespace), RWS (required whitespace), and 7248 BWS ("bad" whitespace). 7250 The OWS rule is used where zero or more linear whitespace octets 7251 might appear. For protocol elements where optional whitespace is 7252 preferred to improve readability, a sender SHOULD generate the 7253 optional whitespace as a single SP; otherwise, a sender SHOULD NOT 7254 generate optional whitespace except as needed to white out invalid or 7255 unwanted protocol elements during in-place message filtering. 7257 The RWS rule is used when at least one linear whitespace octet is 7258 required to separate field tokens. A sender SHOULD generate RWS as a 7259 single SP. 7261 The BWS rule is used where the grammar allows optional whitespace 7262 only for historical reasons. A sender MUST NOT generate BWS in 7263 messages. A recipient MUST parse for such bad whitespace and remove 7264 it before interpreting the protocol element. 7266 OWS = *( SP / HTAB ) 7267 ; optional whitespace 7268 RWS = 1*( SP / HTAB ) 7269 ; required whitespace 7270 BWS = OWS 7271 ; "bad" whitespace 7273 12. ABNF List Extension: #rule 7275 A #rule extension to the ABNF rules of [RFC5234] is used to improve 7276 readability in the definitions of some header field values. 7278 A construct "#" is defined, similar to "*", for defining comma- 7279 delimited lists of elements. The full form is "#element" 7280 indicating at least and at most elements, each separated by a 7281 single comma (",") and optional whitespace (OWS). 7283 12.1. Sender Requirements 7285 In any production that uses the list construct, a sender MUST NOT 7286 generate empty list elements. In other words, a sender MUST generate 7287 lists that satisfy the following syntax: 7289 1#element => element *( OWS "," OWS element ) 7291 and: 7293 #element => [ 1#element ] 7295 and for n >= 1 and m > 1: 7297 #element => element *( OWS "," OWS element ) 7299 12.2. Recipient Requirements 7301 Empty elements do not contribute to the count of elements present. A 7302 recipient MUST parse and ignore a reasonable number of empty list 7303 elements: enough to handle common mistakes by senders that merge 7304 values, but not so much that they could be used as a denial-of- 7305 service mechanism. In other words, a recipient MUST accept lists 7306 that satisfy the following syntax: 7308 #element => [ element ] *( OWS "," OWS [ element ] ) 7310 Note that because of the potential presence of empty list elements, 7311 the RFC 5234 ABNF cannot enforce the cardinality of list elements, 7312 and consequently all cases are mapped is if there was no cardinality 7313 specified. 7315 For example, given these ABNF productions: 7317 example-list = 1#example-list-elmt 7318 example-list-elmt = token ; see Section 4.2.3.1 7320 Then the following are valid values for example-list (not including 7321 the double quotes, which are present for delimitation only): 7323 "foo,bar" 7324 "foo ,bar," 7325 "foo , ,bar,charlie" 7327 In contrast, the following values would be invalid, since at least 7328 one non-empty element is required by the example-list production: 7330 "" 7331 "," 7332 ", ," 7334 Appendix A shows the collected ABNF for recipients after the list 7335 constructs have been expanded. 7337 13. Security Considerations 7339 This section is meant to inform developers, information providers, 7340 and users of known security concerns relevant to HTTP semantics and 7341 its use for transferring information over the Internet. 7342 Considerations related to message syntax, parsing, and routing are 7343 discussed in Section 11 of [Messaging]. 7345 The list of considerations below is not exhaustive. Most security 7346 concerns related to HTTP semantics are about securing server-side 7347 applications (code behind the HTTP interface), securing user agent 7348 processing of payloads received via HTTP, or secure use of the 7349 Internet in general, rather than security of the protocol. Various 7350 organizations maintain topical information and links to current 7351 research on Web application security (e.g., [OWASP]). 7353 13.1. Establishing Authority 7355 HTTP relies on the notion of an authoritative response: a response 7356 that has been determined by (or at the direction of) the origin 7357 server identified within the target URI to be the most appropriate 7358 response for that request given the state of the target resource at 7359 the time of response message origination. 7361 When a registered name is used in the authority component, the "http" 7362 URI scheme (Section 2.5.1) relies on the user's local name resolution 7363 service to determine where it can find authoritative responses. This 7364 means that any attack on a user's network host table, cached names, 7365 or name resolution libraries becomes an avenue for attack on 7366 establishing authority for "http" URIs. Likewise, the user's choice 7367 of server for Domain Name Service (DNS), and the hierarchy of servers 7368 from which it obtains resolution results, could impact the 7369 authenticity of address mappings; DNS Security Extensions (DNSSEC, 7370 [RFC4033]) are one way to improve authenticity. 7372 Furthermore, after an IP address is obtained, establishing authority 7373 for an "http" URI is vulnerable to attacks on Internet Protocol 7374 routing. 7376 The "https" scheme (Section 2.5.2) is intended to prevent (or at 7377 least reveal) many of these potential attacks on establishing 7378 authority, provided that the negotiated TLS connection is secured and 7379 the client properly verifies that the communicating server's identity 7380 matches the target URI's authority component (Section 2.5.2.2). 7381 Correctly implementing such verification can be difficult (see 7382 [Georgiev]). 7384 Authority for a given origin server can be delegated through protocol 7385 extensions; for example, [RFC7838]. Likewise, the set of servers 7386 that a connection is considered authoritative for can be changed with 7387 a protocol extension like [RFC8336]. 7389 Providing a response from a non-authoritative source, such as a 7390 shared proxy cache, is often useful to improve performance and 7391 availability, but only to the extent that the source can be trusted 7392 or the distrusted response can be safely used. 7394 Unfortunately, communicating authority to users can be difficult. 7395 For example, phishing is an attack on the user's perception of 7396 authority, where that perception can be misled by presenting similar 7397 branding in hypertext, possibly aided by userinfo obfuscating the 7398 authority component (see Section 2.5.1). User agents can reduce the 7399 impact of phishing attacks by enabling users to easily inspect a 7400 target URI prior to making an action, by prominently distinguishing 7401 (or rejecting) userinfo when present, and by not sending stored 7402 credentials and cookies when the referring document is from an 7403 unknown or untrusted source. 7405 See also [RFC6454] for a formalisation of authority that is used by 7406 many clients. 7408 13.2. Risks of Intermediaries 7410 By their very nature, HTTP intermediaries are men-in-the-middle and, 7411 thus, represent an opportunity for man-in-the-middle attacks. 7412 Compromise of the systems on which the intermediaries run can result 7413 in serious security and privacy problems. Intermediaries might have 7414 access to security-related information, personal information about 7415 individual users and organizations, and proprietary information 7416 belonging to users and content providers. A compromised 7417 intermediary, or an intermediary implemented or configured without 7418 regard to security and privacy considerations, might be used in the 7419 commission of a wide range of potential attacks. 7421 Intermediaries that contain a shared cache are especially vulnerable 7422 to cache poisoning attacks, as described in Section 7 of [Caching]. 7424 Implementers need to consider the privacy and security implications 7425 of their design and coding decisions, and of the configuration 7426 options they provide to operators (especially the default 7427 configuration). 7429 Users need to be aware that intermediaries are no more trustworthy 7430 than the people who run them; HTTP itself cannot solve this problem. 7432 13.3. Attacks Based on File and Path Names 7434 Origin servers frequently make use of their local file system to 7435 manage the mapping from effective request URI to resource 7436 representations. Most file systems are not designed to protect 7437 against malicious file or path names. Therefore, an origin server 7438 needs to avoid accessing names that have a special significance to 7439 the system when mapping the request target to files, folders, or 7440 directories. 7442 For example, UNIX, Microsoft Windows, and other operating systems use 7443 ".." as a path component to indicate a directory level above the 7444 current one, and they use specially named paths or file names to send 7445 data to system devices. Similar naming conventions might exist 7446 within other types of storage systems. Likewise, local storage 7447 systems have an annoying tendency to prefer user-friendliness over 7448 security when handling invalid or unexpected characters, 7449 recomposition of decomposed characters, and case-normalization of 7450 case-insensitive names. 7452 Attacks based on such special names tend to focus on either denial- 7453 of-service (e.g., telling the server to read from a COM port) or 7454 disclosure of configuration and source files that are not meant to be 7455 served. 7457 13.4. Attacks Based on Command, Code, or Query Injection 7459 Origin servers often use parameters within the URI as a means of 7460 identifying system services, selecting database entries, or choosing 7461 a data source. However, data received in a request cannot be 7462 trusted. An attacker could construct any of the request data 7463 elements (method, request-target, header fields, or body) to contain 7464 data that might be misinterpreted as a command, code, or query when 7465 passed through a command invocation, language interpreter, or 7466 database interface. 7468 For example, SQL injection is a common attack wherein additional 7469 query language is inserted within some part of the request-target or 7470 header fields (e.g., Host, Referer, etc.). If the received data is 7471 used directly within a SELECT statement, the query language might be 7472 interpreted as a database command instead of a simple string value. 7473 This type of implementation vulnerability is extremely common, in 7474 spite of being easy to prevent. 7476 In general, resource implementations ought to avoid use of request 7477 data in contexts that are processed or interpreted as instructions. 7478 Parameters ought to be compared to fixed strings and acted upon as a 7479 result of that comparison, rather than passed through an interface 7480 that is not prepared for untrusted data. Received data that isn't 7481 based on fixed parameters ought to be carefully filtered or encoded 7482 to avoid being misinterpreted. 7484 Similar considerations apply to request data when it is stored and 7485 later processed, such as within log files, monitoring tools, or when 7486 included within a data format that allows embedded scripts. 7488 13.5. Attacks via Protocol Element Length 7490 Because HTTP uses mostly textual, character-delimited fields, parsers 7491 are often vulnerable to attacks based on sending very long (or very 7492 slow) streams of data, particularly where an implementation is 7493 expecting a protocol element with no predefined length (Section 3.3). 7495 To promote interoperability, specific recommendations are made for 7496 minimum size limits on request-line (Section 3 of [Messaging]) and 7497 header fields (Section 4). These are minimum recommendations, chosen 7498 to be supportable even by implementations with limited resources; it 7499 is expected that most implementations will choose substantially 7500 higher limits. 7502 A server can reject a message that has a request-target that is too 7503 long (Section 9.5.15) or a request payload that is too large 7504 (Section 9.5.14). Additional status codes related to capacity limits 7505 have been defined by extensions to HTTP [RFC6585]. 7507 Recipients ought to carefully limit the extent to which they process 7508 other protocol elements, including (but not limited to) request 7509 methods, response status phrases, header field-names, numeric values, 7510 and body chunks. Failure to limit such processing can result in 7511 buffer overflows, arithmetic overflows, or increased vulnerability to 7512 denial-of-service attacks. 7514 13.6. Disclosure of Personal Information 7516 Clients are often privy to large amounts of personal information, 7517 including both information provided by the user to interact with 7518 resources (e.g., the user's name, location, mail address, passwords, 7519 encryption keys, etc.) and information about the user's browsing 7520 activity over time (e.g., history, bookmarks, etc.). Implementations 7521 need to prevent unintentional disclosure of personal information. 7523 13.7. Privacy of Server Log Information 7525 A server is in the position to save personal data about a user's 7526 requests over time, which might identify their reading patterns or 7527 subjects of interest. In particular, log information gathered at an 7528 intermediary often contains a history of user agent interaction, 7529 across a multitude of sites, that can be traced to individual users. 7531 HTTP log information is confidential in nature; its handling is often 7532 constrained by laws and regulations. Log information needs to be 7533 securely stored and appropriate guidelines followed for its analysis. 7534 Anonymization of personal information within individual entries 7535 helps, but it is generally not sufficient to prevent real log traces 7536 from being re-identified based on correlation with other access 7537 characteristics. As such, access traces that are keyed to a specific 7538 client are unsafe to publish even if the key is pseudonymous. 7540 To minimize the risk of theft or accidental publication, log 7541 information ought to be purged of personally identifiable 7542 information, including user identifiers, IP addresses, and user- 7543 provided query parameters, as soon as that information is no longer 7544 necessary to support operational needs for security, auditing, or 7545 fraud control. 7547 13.8. Disclosure of Sensitive Information in URIs 7549 URIs are intended to be shared, not secured, even when they identify 7550 secure resources. URIs are often shown on displays, added to 7551 templates when a page is printed, and stored in a variety of 7552 unprotected bookmark lists. It is therefore unwise to include 7553 information within a URI that is sensitive, personally identifiable, 7554 or a risk to disclose. 7556 Authors of services ought to avoid GET-based forms for the submission 7557 of sensitive data because that data will be placed in the request- 7558 target. Many existing servers, proxies, and user agents log or 7559 display the request-target in places where it might be visible to 7560 third parties. Such services ought to use POST-based form submission 7561 instead. 7563 Since the Referer header field tells a target site about the context 7564 that resulted in a request, it has the potential to reveal 7565 information about the user's immediate browsing history and any 7566 personal information that might be found in the referring resource's 7567 URI. Limitations on the Referer header field are described in 7568 Section 8.6.2 to address some of its security considerations. 7570 13.9. Disclosure of Fragment after Redirects 7572 Although fragment identifiers used within URI references are not sent 7573 in requests, implementers ought to be aware that they will be visible 7574 to the user agent and any extensions or scripts running as a result 7575 of the response. In particular, when a redirect occurs and the 7576 original request's fragment identifier is inherited by the new 7577 reference in Location (Section 10.1.2), this might have the effect of 7578 disclosing one site's fragment to another site. If the first site 7579 uses personal information in fragments, it ought to ensure that 7580 redirects to other sites include a (possibly empty) fragment 7581 component in order to block that inheritance. 7583 13.10. Disclosure of Product Information 7585 The User-Agent (Section 8.6.3), Via (Section 5.5.1), and Server 7586 (Section 10.4.3) header fields often reveal information about the 7587 respective sender's software systems. In theory, this can make it 7588 easier for an attacker to exploit known security holes; in practice, 7589 attackers tend to try all potential holes regardless of the apparent 7590 software versions being used. 7592 Proxies that serve as a portal through a network firewall ought to 7593 take special precautions regarding the transfer of header information 7594 that might identify hosts behind the firewall. The Via header field 7595 allows intermediaries to replace sensitive machine names with 7596 pseudonyms. 7598 13.11. Browser Fingerprinting 7600 Browser fingerprinting is a set of techniques for identifying a 7601 specific user agent over time through its unique set of 7602 characteristics. These characteristics might include information 7603 related to its TCP behavior, feature capabilities, and scripting 7604 environment, though of particular interest here is the set of unique 7605 characteristics that might be communicated via HTTP. Fingerprinting 7606 is considered a privacy concern because it enables tracking of a user 7607 agent's behavior over time without the corresponding controls that 7608 the user might have over other forms of data collection (e.g., 7609 cookies). Many general-purpose user agents (i.e., Web browsers) have 7610 taken steps to reduce their fingerprints. 7612 There are a number of request header fields that might reveal 7613 information to servers that is sufficiently unique to enable 7614 fingerprinting. The From header field is the most obvious, though it 7615 is expected that From will only be sent when self-identification is 7616 desired by the user. Likewise, Cookie header fields are deliberately 7617 designed to enable re-identification, so fingerprinting concerns only 7618 apply to situations where cookies are disabled or restricted by the 7619 user agent's configuration. 7621 The User-Agent header field might contain enough information to 7622 uniquely identify a specific device, usually when combined with other 7623 characteristics, particularly if the user agent sends excessive 7624 details about the user's system or extensions. However, the source 7625 of unique information that is least expected by users is proactive 7626 negotiation (Section 8.4), including the Accept, Accept-Charset, 7627 Accept-Encoding, and Accept-Language header fields. 7629 In addition to the fingerprinting concern, detailed use of the 7630 Accept-Language header field can reveal information the user might 7631 consider to be of a private nature. For example, understanding a 7632 given language set might be strongly correlated to membership in a 7633 particular ethnic group. An approach that limits such loss of 7634 privacy would be for a user agent to omit the sending of Accept- 7635 Language except for sites that have been whitelisted, perhaps via 7636 interaction after detecting a Vary header field that indicates 7637 language negotiation might be useful. 7639 In environments where proxies are used to enhance privacy, user 7640 agents ought to be conservative in sending proactive negotiation 7641 header fields. General-purpose user agents that provide a high 7642 degree of header field configurability ought to inform users about 7643 the loss of privacy that might result if too much detail is provided. 7644 As an extreme privacy measure, proxies could filter the proactive 7645 negotiation header fields in relayed requests. 7647 13.12. Validator Retention 7649 The validators defined by this specification are not intended to 7650 ensure the validity of a representation, guard against malicious 7651 changes, or detect man-in-the-middle attacks. At best, they enable 7652 more efficient cache updates and optimistic concurrent writes when 7653 all participants are behaving nicely. At worst, the conditions will 7654 fail and the client will receive a response that is no more harmful 7655 than an HTTP exchange without conditional requests. 7657 An entity-tag can be abused in ways that create privacy risks. For 7658 example, a site might deliberately construct a semantically invalid 7659 entity-tag that is unique to the user or user agent, send it in a 7660 cacheable response with a long freshness time, and then read that 7661 entity-tag in later conditional requests as a means of re-identifying 7662 that user or user agent. Such an identifying tag would become a 7663 persistent identifier for as long as the user agent retained the 7664 original cache entry. User agents that cache representations ought 7665 to ensure that the cache is cleared or replaced whenever the user 7666 performs privacy-maintaining actions, such as clearing stored cookies 7667 or changing to a private browsing mode. 7669 13.13. Denial-of-Service Attacks Using Range 7671 Unconstrained multiple range requests are susceptible to denial-of- 7672 service attacks because the effort required to request many 7673 overlapping ranges of the same data is tiny compared to the time, 7674 memory, and bandwidth consumed by attempting to serve the requested 7675 data in many parts. Servers ought to ignore, coalesce, or reject 7676 egregious range requests, such as requests for more than two 7677 overlapping ranges or for many small ranges in a single set, 7678 particularly when the ranges are requested out of order for no 7679 apparent reason. Multipart range requests are not designed to 7680 support random access. 7682 13.14. Authentication Considerations 7684 Everything about the topic of HTTP authentication is a security 7685 consideration, so the list of considerations below is not exhaustive. 7686 Furthermore, it is limited to security considerations regarding the 7687 authentication framework, in general, rather than discussing all of 7688 the potential considerations for specific authentication schemes 7689 (which ought to be documented in the specifications that define those 7690 schemes). Various organizations maintain topical information and 7691 links to current research on Web application security (e.g., 7692 [OWASP]), including common pitfalls for implementing and using the 7693 authentication schemes found in practice. 7695 13.14.1. Confidentiality of Credentials 7697 The HTTP authentication framework does not define a single mechanism 7698 for maintaining the confidentiality of credentials; instead, each 7699 authentication scheme defines how the credentials are encoded prior 7700 to transmission. While this provides flexibility for the development 7701 of future authentication schemes, it is inadequate for the protection 7702 of existing schemes that provide no confidentiality on their own, or 7703 that do not sufficiently protect against replay attacks. 7704 Furthermore, if the server expects credentials that are specific to 7705 each individual user, the exchange of those credentials will have the 7706 effect of identifying that user even if the content within 7707 credentials remains confidential. 7709 HTTP depends on the security properties of the underlying transport- 7710 or session-level connection to provide confidential transmission of 7711 header fields. In other words, if a server limits access to 7712 authenticated users using this framework, the server needs to ensure 7713 that the connection is properly secured in accordance with the nature 7714 of the authentication scheme used. For example, services that depend 7715 on individual user authentication often require a connection to be 7716 secured with TLS ("Transport Layer Security", [RFC8446]) prior to 7717 exchanging any credentials. 7719 13.14.2. Credentials and Idle Clients 7721 Existing HTTP clients and user agents typically retain authentication 7722 information indefinitely. HTTP does not provide a mechanism for the 7723 origin server to direct clients to discard these cached credentials, 7724 since the protocol has no awareness of how credentials are obtained 7725 or managed by the user agent. The mechanisms for expiring or 7726 revoking credentials can be specified as part of an authentication 7727 scheme definition. 7729 Circumstances under which credential caching can interfere with the 7730 application's security model include but are not limited to: 7732 o Clients that have been idle for an extended period, following 7733 which the server might wish to cause the client to re-prompt the 7734 user for credentials. 7736 o Applications that include a session termination indication (such 7737 as a "logout" or "commit" button on a page) after which the server 7738 side of the application "knows" that there is no further reason 7739 for the client to retain the credentials. 7741 User agents that cache credentials are encouraged to provide a 7742 readily accessible mechanism for discarding cached credentials under 7743 user control. 7745 13.14.3. Protection Spaces 7747 Authentication schemes that solely rely on the "realm" mechanism for 7748 establishing a protection space will expose credentials to all 7749 resources on an origin server. Clients that have successfully made 7750 authenticated requests with a resource can use the same 7751 authentication credentials for other resources on the same origin 7752 server. This makes it possible for a different resource to harvest 7753 authentication credentials for other resources. 7755 This is of particular concern when an origin server hosts resources 7756 for multiple parties under the same canonical root URI 7757 (Section 8.5.2). Possible mitigation strategies include restricting 7758 direct access to authentication credentials (i.e., not making the 7759 content of the Authorization request header field available), and 7760 separating protection spaces by using a different host name (or port 7761 number) for each party. 7763 13.14.4. Additional Response Header Fields 7765 Adding information to responses that are sent over an unencrypted 7766 channel can affect security and privacy. The presence of the 7767 Authentication-Info and Proxy-Authentication-Info header fields alone 7768 indicates that HTTP authentication is in use. Additional information 7769 could be exposed by the contents of the authentication-scheme 7770 specific parameters; this will have to be considered in the 7771 definitions of these schemes. 7773 14. IANA Considerations 7775 The change controller for the following registrations is: "IETF 7776 (iesg@ietf.org) - Internet Engineering Task Force". 7778 14.1. URI Scheme Registration 7780 Please update the registry of URI Schemes [BCP35] at 7781 with the permanent 7782 schemes listed in the first table of Section 2.5. 7784 14.2. Method Registration 7786 Please update the "Hypertext Transfer Protocol (HTTP) Method 7787 Registry" at with the 7788 registration procedure of Section 7.4.1 and the method names 7789 summarized in the table of Section 7.2. 7791 14.3. Status Code Registration 7793 Please update the "Hypertext Transfer Protocol (HTTP) Status Code 7794 Registry" at 7795 with the registration procedure of Section 9.7.1 and the status code 7796 values summarized in the table of Section 9.1. 7798 Additionally, please update the following entry in the Hypertext 7799 Transfer Protocol (HTTP) Status Code Registry: 7801 Value: 418 7803 Description: (Unused) 7805 Reference Section 9.5.19 7807 14.4. Header Field Registration 7809 Please create a new registry as outlined in Section 4.1.1. 7811 After creating the registry, all entries in the Permanent and 7812 Provisional Message Header Registries with the protocol 'http' are to 7813 be moved to it, with the following changes applied: 7815 1. The 'Applicable Protocol' field is to be omitted. 7817 2. Entries with a status of 'standard', 'experimental', or 7818 'informational' are to have a status of 'permanent'. 7820 3. Provisional entries without a status are to have a status of 7821 'provisional'. 7823 4. Permanent entries without a status (after confirmation that the 7824 registration document did not define one) will have a status of 7825 'provisional'. The Expert(s) can choose to update their status 7826 if there is evidence that another is more appropriate. 7828 Please annotate the Permanent and Provisional Message Header 7829 registries to indicate that HTTP header field registrations have 7830 moved, with an appropriate link. 7832 After that is complete, please update the new registry with the 7833 header field names listed in the table of Section 4.1. 7835 Finally, please update the "Content-MD5" entry in the new registry to 7836 have a status of 'obsoleted' with references to Section 14.15 of 7837 [RFC2616] (for the definition of the header field) and Appendix B of 7838 [RFC7231] (which removed the field definition from the updated 7839 specification). 7841 14.5. Authentication Scheme Registration 7843 Please update the "Hypertext Transfer Protocol (HTTP) Authentication 7844 Scheme Registry" at with the registration procedure of Section 8.5.5.1. No 7846 authentication schemes are defined in this document. 7848 14.6. Content Coding Registration 7850 Please update the "HTTP Content Coding Registry" at 7851 with the 7852 registration procedure of Section 6.1.2.4.1 and the content coding 7853 names summarized in the table of Section 6.1.2. 7855 14.7. Range Unit Registration 7857 Please update the "HTTP Range Unit Registry" at 7858 with the 7859 registration procedure of Section 6.1.4.4 and the range unit names 7860 summarized in the table of Section 6.1.4. 7862 14.8. Media Type Registration 7864 Please update the "Media Types" registry at 7865 with the registration 7866 information in Section 6.3.5 for the media type "multipart/ 7867 byteranges". 7869 14.9. Port Registration 7871 Please update the "Service Name and Transport Protocol Port Number" 7872 registry at for the services on ports 80 and 443 that use UDP or TCP 7874 to: 7876 1. use this document as "Reference", and 7878 2. when currently unspecified, set "Assignee" to "IESG" and 7879 "Contact" to "IETF_Chair". 7881 15. References 7883 15.1. Normative References 7885 [Caching] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 7886 Ed., "HTTP Caching", draft-ietf-httpbis-cache-06 (work in 7887 progress), November 2019. 7889 [Messaging] 7890 Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 7891 Ed., "HTTP/1.1 Messaging", draft-ietf-httpbis-messaging-06 7892 (work in progress), November 2019. 7894 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 7895 RFC 793, DOI 10.17487/RFC0793, September 1981, 7896 . 7898 [RFC1950] Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data Format 7899 Specification version 3.3", RFC 1950, 7900 DOI 10.17487/RFC1950, May 1996, 7901 . 7903 [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification 7904 version 1.3", RFC 1951, DOI 10.17487/RFC1951, May 1996, 7905 . 7907 [RFC1952] Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and G. 7908 Randers-Pehrson, "GZIP file format specification version 7909 4.3", RFC 1952, DOI 10.17487/RFC1952, May 1996, 7910 . 7912 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 7913 Extensions (MIME) Part One: Format of Internet Message 7914 Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, 7915 . 7917 [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 7918 Extensions (MIME) Part Two: Media Types", RFC 2046, 7919 DOI 10.17487/RFC2046, November 1996, 7920 . 7922 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 7923 Requirement Levels", BCP 14, RFC 2119, 7924 DOI 10.17487/RFC2119, March 1997, 7925 . 7927 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 7928 Resource Identifier (URI): Generic Syntax", STD 66, 7929 RFC 3986, DOI 10.17487/RFC3986, January 2005, 7930 . 7932 [RFC4647] Phillips, A., Ed. and M. Davis, Ed., "Matching of Language 7933 Tags", BCP 47, RFC 4647, DOI 10.17487/RFC4647, September 7934 2006, . 7936 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 7937 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 7938 . 7940 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 7941 Specifications: ABNF", STD 68, RFC 5234, 7942 DOI 10.17487/RFC5234, January 2008, 7943 . 7945 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 7946 Housley, R., and W. Polk, "Internet X.509 Public Key 7947 Infrastructure Certificate and Certificate Revocation List 7948 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 7949 . 7951 [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying 7952 Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, 7953 September 2009, . 7955 [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in 7956 Internationalization in the IETF", BCP 166, RFC 6365, 7957 DOI 10.17487/RFC6365, September 2011, 7958 . 7960 [RFC7405] Kyzivat, P., "Case-Sensitive String Support in ABNF", 7961 RFC 7405, DOI 10.17487/RFC7405, December 2014, 7962 . 7964 [USASCII] American National Standards Institute, "Coded Character 7965 Set -- 7-bit American Standard Code for Information 7966 Interchange", ANSI X3.4, 1986. 7968 [Welch] Welch, T., "A Technique for High-Performance Data 7969 Compression", IEEE Computer 17(6), 7970 DOI 10.1109/MC.1984.1659158, June 1984, 7971 . 7973 15.2. Informative References 7975 [BCP13] Freed, N., Klensin, J., and T. Hansen, "Media Type 7976 Specifications and Registration Procedures", BCP 13, 7977 RFC 6838, January 2013, 7978 . 7980 [BCP178] Saint-Andre, P., Crocker, D., and M. Nottingham, 7981 "Deprecating the "X-" Prefix and Similar Constructs in 7982 Application Protocols", BCP 178, RFC 6648, June 2012, 7983 . 7985 [BCP35] Thaler, D., Ed., Hansen, T., and T. Hardie, "Guidelines 7986 and Registration Procedures for URI Schemes", BCP 35, 7987 RFC 7595, June 2015, 7988 . 7990 [BCP90] Klyne, G., Nottingham, M., and J. Mogul, "Registration 7991 Procedures for Message Header Fields", BCP 90, RFC 3864, 7992 September 2004, . 7994 [Err1912] RFC Errata, Erratum ID 1912, RFC 2978, 7995 . 7997 [Err5433] RFC Errata, Erratum ID 5433, RFC 2978, 7998 . 8000 [Georgiev] 8001 Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, 8002 D., and V. Shmatikov, "The Most Dangerous Code in the 8003 World: Validating SSL Certificates in Non-browser 8004 Software", In Proceedings of the 2012 ACM Conference on 8005 Computer and Communications Security (CCS '12), pp. 38-49, 8006 October 2012, 8007 . 8009 [ISO-8859-1] 8010 International Organization for Standardization, 8011 "Information technology -- 8-bit single-byte coded graphic 8012 character sets -- Part 1: Latin alphabet No. 1", ISO/ 8013 IEC 8859-1:1998, 1998. 8015 [Kri2001] Kristol, D., "HTTP Cookies: Standards, Privacy, and 8016 Politics", ACM Transactions on Internet Technology 1(2), 8017 November 2001, . 8019 [OWASP] van der Stock, A., Ed., "A Guide to Building Secure Web 8020 Applications and Web Services", The Open Web Application 8021 Security Project (OWASP) 2.0.1, July 2005, 8022 . 8024 [REST] Fielding, R., "Architectural Styles and the Design of 8025 Network-based Software Architectures", 8026 Doctoral Dissertation, University of California, Irvine, 8027 September 2000, 8028 . 8030 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 8031 RFC 1919, DOI 10.17487/RFC1919, March 1996, 8032 . 8034 [RFC1945] Berners-Lee, T., Fielding, R., and H. Nielsen, "Hypertext 8035 Transfer Protocol -- HTTP/1.0", RFC 1945, 8036 DOI 10.17487/RFC1945, May 1996, 8037 . 8039 [RFC2047] Moore, K., "MIME (Multipurpose Internet Mail Extensions) 8040 Part Three: Message Header Extensions for Non-ASCII Text", 8041 RFC 2047, DOI 10.17487/RFC2047, November 1996, 8042 . 8044 [RFC2068] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T. 8045 Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", 8046 RFC 2068, DOI 10.17487/RFC2068, January 1997, 8047 . 8049 [RFC2145] Mogul, J., Fielding, R., Gettys, J., and H. Nielsen, "Use 8050 and Interpretation of HTTP Version Numbers", RFC 2145, 8051 DOI 10.17487/RFC2145, May 1997, 8052 . 8054 [RFC2295] Holtman, K. and A. Mutz, "Transparent Content Negotiation 8055 in HTTP", RFC 2295, DOI 10.17487/RFC2295, March 1998, 8056 . 8058 [RFC2324] Masinter, L., "Hyper Text Coffee Pot Control Protocol 8059 (HTCPCP/1.0)", RFC 2324, DOI 10.17487/RFC2324, April 1998, 8060 . 8062 [RFC2557] Palme, F., Hopmann, A., Shelness, N., and E. Stefferud, 8063 "MIME Encapsulation of Aggregate Documents, such as HTML 8064 (MHTML)", RFC 2557, DOI 10.17487/RFC2557, March 1999, 8065 . 8067 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 8068 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 8069 Transfer Protocol -- HTTP/1.1", RFC 2616, 8070 DOI 10.17487/RFC2616, June 1999, 8071 . 8073 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., 8074 Leach, P., Luotonen, A., and L. Stewart, "HTTP 8075 Authentication: Basic and Digest Access Authentication", 8076 RFC 2617, DOI 10.17487/RFC2617, June 1999, 8077 . 8079 [RFC2774] Frystyk, H., Leach, P., and S. Lawrence, "An HTTP 8080 Extension Framework", RFC 2774, DOI 10.17487/RFC2774, 8081 February 2000, . 8083 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 8084 DOI 10.17487/RFC2818, May 2000, 8085 . 8087 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 8088 Procedures", BCP 19, RFC 2978, DOI 10.17487/RFC2978, 8089 October 2000, . 8091 [RFC3040] Cooper, I., Melve, I., and G. Tomlinson, "Internet Web 8092 Replication and Caching Taxonomy", RFC 3040, 8093 DOI 10.17487/RFC3040, January 2001, 8094 . 8096 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 8097 Rose, "DNS Security Introduction and Requirements", 8098 RFC 4033, DOI 10.17487/RFC4033, March 2005, 8099 . 8101 [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based 8102 Kerberos and NTLM HTTP Authentication in Microsoft 8103 Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006, 8104 . 8106 [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed 8107 Authoring and Versioning (WebDAV)", RFC 4918, 8108 DOI 10.17487/RFC4918, June 2007, 8109 . 8111 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, 8112 DOI 10.17487/RFC5322, October 2008, 8113 . 8115 [RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", 8116 RFC 5789, DOI 10.17487/RFC5789, March 2010, 8117 . 8119 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 8120 "Network Time Protocol Version 4: Protocol and Algorithms 8121 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 8122 . 8124 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 8125 DOI 10.17487/RFC6265, April 2011, 8126 . 8128 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, 8129 DOI 10.17487/RFC6454, December 2011, 8130 . 8132 [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status 8133 Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, 8134 . 8136 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 8137 Protocol (HTTP/1.1): Message Syntax and Routing", 8138 RFC 7230, DOI 10.17487/RFC7230, June 2014, 8139 . 8141 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 8142 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 8143 DOI 10.17487/RFC7231, June 2014, 8144 . 8146 [RFC7232] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 8147 Protocol (HTTP/1.1): Conditional Requests", RFC 7232, 8148 DOI 10.17487/RFC7232, June 2014, 8149 . 8151 [RFC7233] Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed., 8152 "Hypertext Transfer Protocol (HTTP): Range Requests", 8153 RFC 7233, DOI 10.17487/RFC7233, June 2014, 8154 . 8156 [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 8157 Protocol (HTTP/1.1): Authentication", RFC 7235, 8158 DOI 10.17487/RFC7235, June 2014, 8159 . 8161 [RFC7538] Reschke, J., "The Hypertext Transfer Protocol Status Code 8162 308 (Permanent Redirect)", RFC 7538, DOI 10.17487/RFC7538, 8163 April 2015, . 8165 [RFC7578] Masinter, L., "Returning Values from Forms: multipart/ 8166 form-data", RFC 7578, DOI 10.17487/RFC7578, July 2015, 8167 . 8169 [RFC7615] Reschke, J., "HTTP Authentication-Info and Proxy- 8170 Authentication-Info Response Header Fields", RFC 7615, 8171 DOI 10.17487/RFC7615, September 2015, 8172 . 8174 [RFC7616] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP 8175 Digest Access Authentication", RFC 7616, 8176 DOI 10.17487/RFC7616, September 2015, 8177 . 8179 [RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme", 8180 RFC 7617, DOI 10.17487/RFC7617, September 2015, 8181 . 8183 [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP 8184 Alternative Services", RFC 7838, DOI 10.17487/RFC7838, 8185 April 2016, . 8187 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 8188 Writing an IANA Considerations Section in RFCs", BCP 26, 8189 RFC 8126, DOI 10.17487/RFC8126, June 2017, 8190 . 8192 [RFC8187] Reschke, J., "Indicating Character Encoding and Language 8193 for HTTP Header Field Parameters", RFC 8187, 8194 DOI 10.17487/RFC8187, September 2017, 8195 . 8197 [RFC8246] McManus, P., "HTTP Immutable Responses", RFC 8246, 8198 DOI 10.17487/RFC8246, September 2017, 8199 . 8201 [RFC8288] Nottingham, M., "Web Linking", RFC 8288, 8202 DOI 10.17487/RFC8288, October 2017, 8203 . 8205 [RFC8336] Nottingham, M. and E. Nygren, "The ORIGIN HTTP/2 Frame", 8206 RFC 8336, DOI 10.17487/RFC8336, March 2018, 8207 . 8209 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 8210 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 8211 . 8213 [Sniffing] 8214 WHATWG, "MIME Sniffing", 8215 . 8217 Appendix A. Collected ABNF 8219 In the collected ABNF below, list rules are expanded as per 8220 Section 12. 8222 Accept = [ ( "," / ( media-range [ accept-params ] ) ) *( OWS "," [ 8223 OWS ( media-range [ accept-params ] ) ] ) ] 8224 Accept-Charset = *( "," OWS ) ( ( charset / "*" ) [ weight ] ) *( OWS 8225 "," [ OWS ( ( charset / "*" ) [ weight ] ) ] ) 8226 Accept-Encoding = [ ( "," / ( codings [ weight ] ) ) *( OWS "," [ OWS 8227 ( codings [ weight ] ) ] ) ] 8228 Accept-Language = *( "," OWS ) ( language-range [ weight ] ) *( OWS 8229 "," [ OWS ( language-range [ weight ] ) ] ) 8230 Accept-Ranges = acceptable-ranges 8231 Allow = [ method ] *( OWS "," OWS [ method ] ) 8232 Authentication-Info = [ auth-param ] *( OWS "," OWS [ auth-param ] ) 8233 Authorization = credentials 8235 BWS = OWS 8237 Content-Encoding = [ content-coding ] *( OWS "," OWS [ content-coding 8238 ] ) 8239 Content-Language = [ language-tag ] *( OWS "," OWS [ language-tag ] 8240 ) 8241 Content-Length = 1*DIGIT 8242 Content-Location = absolute-URI / partial-URI 8243 Content-Range = range-unit SP ( range-resp / unsatisfied-range ) 8244 Content-Type = media-type 8246 Date = HTTP-date 8248 ETag = entity-tag 8249 Expect = "100-continue" 8251 From = mailbox 8253 GMT = %x47.4D.54 ; GMT 8255 HTTP-date = IMF-fixdate / obs-date 8256 Host = uri-host [ ":" port ] 8258 IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT 8259 If-Match = "*" / ( [ entity-tag ] *( OWS "," OWS [ entity-tag ] ) ) 8260 If-Modified-Since = HTTP-date 8261 If-None-Match = "*" / ( [ entity-tag ] *( OWS "," OWS [ entity-tag ] 8262 ) ) 8263 If-Range = entity-tag / HTTP-date 8264 If-Unmodified-Since = HTTP-date 8265 Last-Modified = HTTP-date 8266 Location = URI-reference 8268 Max-Forwards = 1*DIGIT 8270 OWS = *( SP / HTAB ) 8272 Proxy-Authenticate = [ challenge ] *( OWS "," OWS [ challenge ] ) 8273 Proxy-Authentication-Info = [ auth-param ] *( OWS "," OWS [ 8274 auth-param ] ) 8275 Proxy-Authorization = credentials 8277 RWS = 1*( SP / HTAB ) 8278 Range = ranges-specifier 8279 Referer = absolute-URI / partial-URI 8280 Retry-After = HTTP-date / delay-seconds 8282 Server = product *( RWS ( product / comment ) ) 8284 Trailer = [ field-name ] *( OWS "," OWS [ field-name ] ) 8286 URI-reference = 8287 User-Agent = product *( RWS ( product / comment ) ) 8289 Vary = "*" / ( [ field-name ] *( OWS "," OWS [ field-name ] ) ) 8290 Via = *( "," OWS ) ( received-protocol RWS received-by [ RWS comment 8291 ] ) *( OWS "," [ OWS ( received-protocol RWS received-by [ RWS 8292 comment ] ) ] ) 8294 WWW-Authenticate = [ challenge ] *( OWS "," OWS [ challenge ] ) 8296 absolute-URI = 8297 absolute-path = 1*( "/" segment ) 8298 accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] 8299 accept-params = weight *accept-ext 8300 acceptable-ranges = ( [ range-unit ] *( OWS "," OWS [ range-unit ] ) 8301 ) / "none" 8302 asctime-date = day-name SP date3 SP time-of-day SP year 8303 auth-param = token BWS "=" BWS ( token / quoted-string ) 8304 auth-scheme = token 8305 authority = 8307 challenge = auth-scheme [ 1*SP ( token68 / ( [ auth-param ] *( OWS 8308 "," OWS [ auth-param ] ) ) ) ] 8309 charset = token 8310 codings = content-coding / "identity" / "*" 8311 comment = "(" *( ctext / quoted-pair / comment ) ")" 8312 complete-length = 1*DIGIT 8313 content-coding = token 8314 credentials = auth-scheme [ 1*SP ( token68 / ( [ auth-param ] *( OWS 8315 "," OWS [ auth-param ] ) ) ) ] 8316 ctext = HTAB / SP / %x21-27 ; '!'-''' 8317 / %x2A-5B ; '*'-'[' 8318 / %x5D-7E ; ']'-'~' 8319 / obs-text 8321 date1 = day SP month SP year 8322 date2 = day "-" month "-" 2DIGIT 8323 date3 = month SP ( 2DIGIT / ( SP DIGIT ) ) 8324 day = 2DIGIT 8325 day-name = %x4D.6F.6E ; Mon 8326 / %x54.75.65 ; Tue 8327 / %x57.65.64 ; Wed 8328 / %x54.68.75 ; Thu 8329 / %x46.72.69 ; Fri 8330 / %x53.61.74 ; Sat 8331 / %x53.75.6E ; Sun 8332 day-name-l = %x4D.6F.6E.64.61.79 ; Monday 8333 / %x54.75.65.73.64.61.79 ; Tuesday 8334 / %x57.65.64.6E.65.73.64.61.79 ; Wednesday 8335 / %x54.68.75.72.73.64.61.79 ; Thursday 8336 / %x46.72.69.64.61.79 ; Friday 8337 / %x53.61.74.75.72.64.61.79 ; Saturday 8338 / %x53.75.6E.64.61.79 ; Sunday 8339 delay-seconds = 1*DIGIT 8341 entity-tag = [ weak ] opaque-tag 8342 etagc = "!" / %x23-7E ; '#'-'~' 8343 / obs-text 8345 field-content = field-vchar [ 1*( SP / HTAB / field-vchar ) 8346 field-vchar ] 8347 field-name = token 8348 field-value = *( field-content / obs-fold ) 8349 field-vchar = VCHAR / obs-text 8350 first-pos = 1*DIGIT 8352 hour = 2DIGIT 8353 http-URI = "http://" authority path-abempty [ "?" query ] 8354 https-URI = "https://" authority path-abempty [ "?" query ] 8356 incl-range = first-pos "-" last-pos 8357 int-range = first-pos "-" [ last-pos ] 8359 language-range = 8360 language-tag = 8361 last-pos = 1*DIGIT 8363 mailbox = 8364 media-range = ( "*/*" / ( type "/*" ) / ( type "/" subtype ) ) *( OWS 8365 ";" OWS parameter ) 8366 media-type = type "/" subtype *( OWS ";" OWS parameter ) 8367 method = token 8368 minute = 2DIGIT 8369 month = %x4A.61.6E ; Jan 8370 / %x46.65.62 ; Feb 8371 / %x4D.61.72 ; Mar 8372 / %x41.70.72 ; Apr 8373 / %x4D.61.79 ; May 8374 / %x4A.75.6E ; Jun 8375 / %x4A.75.6C ; Jul 8376 / %x41.75.67 ; Aug 8377 / %x53.65.70 ; Sep 8378 / %x4F.63.74 ; Oct 8379 / %x4E.6F.76 ; Nov 8380 / %x44.65.63 ; Dec 8382 obs-date = rfc850-date / asctime-date 8383 obs-fold = 8384 obs-text = %x80-FF 8385 opaque-tag = DQUOTE *etagc DQUOTE 8386 other-range = 1*( %x21-2B ; '!'-'+' 8387 / %x2D-7E ; '-'-'~' 8388 ) 8390 parameter = parameter-name "=" parameter-value 8391 parameter-name = token 8392 parameter-value = ( token / quoted-string ) 8393 partial-URI = relative-part [ "?" query ] 8394 path-abempty = 8395 port = 8396 product = token [ "/" product-version ] 8397 product-version = token 8398 protocol-name = 8399 protocol-version = 8400 pseudonym = token 8402 qdtext = HTAB / SP / "!" / %x23-5B ; '#'-'[' 8403 / %x5D-7E ; ']'-'~' 8404 / obs-text 8405 query = 8406 quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) 8407 quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE 8408 qvalue = ( "0" [ "." *3DIGIT ] ) / ( "1" [ "." *3"0" ] ) 8409 range-resp = incl-range "/" ( complete-length / "*" ) 8410 range-set = [ range-spec ] *( OWS "," OWS [ range-spec ] ) 8411 range-spec = int-range / suffix-range / other-range 8412 range-unit = token 8413 ranges-specifier = range-unit "=" range-set 8414 received-by = ( uri-host [ ":" port ] ) / pseudonym 8415 received-protocol = [ protocol-name "/" ] protocol-version 8416 relative-part = 8417 request-target = 8418 rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT 8420 second = 2DIGIT 8421 segment = 8422 subtype = token 8423 suffix-length = 1*DIGIT 8424 suffix-range = "-" suffix-length 8426 tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / 8427 "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA 8428 time-of-day = hour ":" minute ":" second 8429 token = 1*tchar 8430 token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) 8431 *"=" 8432 type = token 8434 unsatisfied-range = "*/" complete-length 8435 uri-host = 8437 weak = %x57.2F ; W/ 8438 weight = OWS ";" OWS "q=" qvalue 8440 year = 4DIGIT 8442 Appendix B. Changes from RFC 7230 8444 The sections introducing HTTP's design goals, history, architecture, 8445 conformance criteria, protocol versioning, URIs, message routing, and 8446 header fields have been moved here (without substantive change). 8448 Trailer field semantics now transcend the specifics of chunked 8449 encoding. Use of trailer fields has been further limited to only 8450 allow generation as a trailer field when the sender knows the field 8451 defines that usage and to only allow merging into the header section 8452 if the recipient knows the corresponding field definition permits and 8453 defines how to merge. In all other cases, implementations are 8454 encouraged to either store the trailer fields separately or discard 8455 them instead of merging (Section 4.3.2). 8457 Added status code 308 (previously defined in [RFC7538]) so that it's 8458 defined closer to status codes 301, 302, and 307 (Section 9.4.9). 8460 Added status code 422 (previously defined in Section 11.2 of 8461 [RFC4918]) because of its general applicability (Section 9.5.20). 8463 Appendix C. Changes from RFC 2818 8465 None yet. 8467 Appendix D. Changes from RFC 7231 8469 Restrictions on client retries have been loosened, to reflect 8470 implementation behavior. (Section 7.2.2) 8472 Removed a superfluous requirement about setting Content-Length from 8473 the description of the OPTIONS method. (Section 7.3.7) 8475 Minimum URI lengths to be supported by implementations are now 8476 recommended. (Section 2.5) 8478 Clarified that request bodies on GET are not interoperable. 8479 (Section 7.3.1) 8481 Appendix E. Changes from RFC 7232 8483 None yet. 8485 Appendix F. Changes from RFC 7233 8487 Refactored the range-unit and ranges-specifier grammars to simplify 8488 and reduce artificial distinctions between bytes and other 8489 (extension) range units, removing the overlapping grammar of other- 8490 range-unit by defining range units generically as a token and placing 8491 extensions within the scope of a range-spec (other-range). This 8492 disambiguates the role of list syntax (commas) in all range sets, 8493 including extension range units, for indicating a range-set of more 8494 than one range. Moving the extension grammar into range specifiers 8495 also allows protocol specific to byte ranges to be specified 8496 separately. 8498 Appendix G. Changes from RFC 7235 8500 None yet. 8502 Appendix H. Changes from RFC 7538 8504 None yet. 8506 Appendix I. Changes from RFC 7615 8508 None yet. 8510 Appendix J. Change Log 8512 This section is to be removed before publishing as an RFC. 8514 J.1. Between RFC723x and draft 00 8516 The changes were purely editorial: 8518 o Change boilerplate and abstract to indicate the "draft" status, 8519 and update references to ancestor specifications. 8521 o Remove version "1.1" from document title, indicating that this 8522 specification applies to all HTTP versions. 8524 o Adjust historical notes. 8526 o Update links to sibling specifications. 8528 o Replace sections listing changes from RFC 2616 by new empty 8529 sections referring to RFC 723x. 8531 o Remove acknowledgements specific to RFC 723x. 8533 o Move "Acknowledgements" to the very end and make them unnumbered. 8535 J.2. Since draft-ietf-httpbis-semantics-00 8537 The changes in this draft are editorial, with respect to HTTP as a 8538 whole, to merge core HTTP semantics into this document: 8540 o Merged introduction, architecture, conformance, and ABNF 8541 extensions from RFC 7230 (Messaging). 8543 o Rearranged architecture to extract conformance, http(s) schemes, 8544 and protocol versioning into a separate major section. 8546 o Moved discussion of MIME differences to [Messaging] since that is 8547 primarily concerned with transforming 1.1 messages. 8549 o Merged entire content of RFC 7232 (Conditional Requests). 8551 o Merged entire content of RFC 7233 (Range Requests). 8553 o Merged entire content of RFC 7235 (Auth Framework). 8555 o Moved all extensibility tips, registration procedures, and 8556 registry tables from the IANA considerations to normative 8557 sections, reducing the IANA considerations to just instructions 8558 that will be removed prior to publication as an RFC. 8560 J.3. Since draft-ietf-httpbis-semantics-01 8562 o Improve [Welch] citation () 8565 o Remove HTTP/1.1-ism about Range Requests 8566 () 8568 o Cite RFC 8126 instead of RFC 5226 () 8571 o Cite RFC 7538 instead of RFC 7238 () 8574 o Cite RFC 8288 instead of RFC 5988 () 8577 o Cite RFC 8187 instead of RFC 5987 () 8580 o Cite RFC 7578 instead of RFC 2388 () 8583 o Cite RFC 7595 instead of RFC 4395 () 8586 o improve ABNF readability for qdtext (, ) 8589 o Clarify "resource" vs "representation" in definition of status 8590 code 416 (, 8591 ) 8593 o Resolved erratum 4072, no change needed here 8594 (, 8595 ) 8597 o Clarify DELETE status code suggestions 8598 (, 8599 ) 8601 o In Section 6.3.4, fix ABNF for "other-range-resp" to use VCHAR 8602 instead of CHAR (, 8603 ) 8605 o Resolved erratum 5162, no change needed here 8606 (, 8607 ) 8609 o Replace "response code" with "response status code" and "status- 8610 code" (the ABNF production name from the HTTP/1.1 message format) 8611 by "status code" (, 8612 ) 8614 o Added a missing word in Section 9.4 (, ) 8617 o In Section 12, fixed an example that had trailing whitespace where 8618 it shouldn't (, 8619 ) 8621 o In Section 9.3.7, remove words that were potentially misleading 8622 with respect to the relation to the requested ranges 8623 (, 8624 ) 8626 J.4. Since draft-ietf-httpbis-semantics-02 8628 o Included (Proxy-)Auth-Info header field definition from RFC 7615 8629 () 8631 o In Section 7.3.3, clarify POST caching 8632 () 8634 o Add Section 9.5.19 to reserve the 418 status code 8635 () 8637 o In Section 2.1 and Section 8.1.1, clarified when a response can be 8638 sent () 8640 o In Section 6.1.1.1, explain the difference between the "token" 8641 production, the RFC 2978 ABNF for charset names, and the actual 8642 registration practice (, ) 8645 o In Section 2.5, removed the fragment component in the URI scheme 8646 definitions as per Section 4.3 of [RFC3986], furthermore moved 8647 fragment discussion into a separate section 8648 (, 8649 , ) 8652 o In Section 3.5, add language about minor HTTP version number 8653 defaulting () 8655 o Added Section 9.5.20 for status code 422, previously defined in 8656 Section 11.2 of [RFC4918] () 8659 o In Section 9.5.17, fixed prose about byte range comparison 8660 (, 8661 ) 8663 o In Section 2.1, explain that request/response correlation is 8664 version specific () 8667 J.5. Since draft-ietf-httpbis-semantics-03 8669 o In Section 9.4.9, include status code 308 from RFC 7538 8670 () 8672 o In Section 6.1.1, clarify that the charset parameter value is 8673 case-insensitive due to the definition in RFC 2046 8674 () 8676 o Define a separate registry for HTTP header field names 8677 () 8679 o In Section 8.4, refactor and clarify description of wildcard ("*") 8680 handling () 8682 o Deprecate Accept-Charset () 8685 o In Section 8.2.1, mention Cache-Control: immutable 8686 () 8688 o In Section 4.2.1, clarify when header field combination is allowed 8689 () 8691 o In Section 14.4, instruct IANA to mark Content-MD5 as obsolete 8692 () 8694 o Use RFC 7405 ABNF notation for case-sensitive string constants 8695 () 8697 o Rework Section 2.1 to be more version-independent 8698 () 8700 o In Section 7.3.5, clarify that DELETE needs to be successful to 8701 invalidate cache (, ) 8704 J.6. Since draft-ietf-httpbis-semantics-04 8706 o In Section 4.2, fix field-content ABNF 8707 (, 8708 ) 8710 o Move Section 4.2.3.4 into its own section 8711 () 8713 o In Section 6.2.1, reference MIME Sniffing 8714 () 8716 o In Section 12, simplify the #rule mapping for recipients 8717 (, 8718 ) 8720 o In Section 7.3.7, remove misleading text about "extension" of HTTP 8721 is needed to define method payloads () 8724 o Fix editorial issue in Section 6 () 8727 o In Section 9.5.20, rephrase language not to use "entity" anymore, 8728 and also avoid lowercase "may" () 8731 o Move discussion of retries from [Messaging] into Section 7.2.2 8732 () 8734 J.7. Since draft-ietf-httpbis-semantics-05 8736 o Moved transport-independent part of the description of trailers 8737 into Section 4.3 () 8739 o Loosen requirements on retries based upon implementation behavior 8740 () 8742 o In Section 14.9, update IANA port registry for TCP/UDP on ports 80 8743 and 443 () 8745 o In Section 4.4, revise guidelines for new header field names 8746 () 8748 o In Section 7.2.3, remove concept of "cacheable methods" in favor 8749 of prose () 8751 o In Section 13.1, mention that the concept of authority can be 8752 modified by protocol extensions () 8755 o Create new subsection on payload body in Section 6.3.3, taken from 8756 portions of message body () 8759 o Moved definition of "Whitespace" into new container "Generic 8760 Syntax" (Section 11) () 8763 o In Section 2.5, recommend minimum URI size support for 8764 implementations () 8766 o In Section 6.1.4, refactored the range-unit and ranges-specifier 8767 grammars () 8769 o In Section 7.3.1, caution against a request body more strongly 8770 () 8772 o Reorganized text in Section 4.4 () 8775 o In Section 9.5.4, replace "authorize" with "fulfill" 8776 () 8778 o In Section 7.3.7, removed a misleading statement about Content- 8779 Length (, 8780 ) 8782 o In Section 13.1, add text from RFC 2818 8783 () 8785 o Changed "cacheable by default" to "heuristically cacheable" 8786 throughout () 8788 Index 8790 1 8791 100 Continue (status code) 114 8792 100-continue (expect value) 81 8793 101 Switching Protocols (status code) 114 8794 1xx Informational (status code class) 113 8796 2 8797 200 OK (status code) 114 8798 201 Created (status code) 115 8799 202 Accepted (status code) 115 8800 203 Non-Authoritative Information (status code) 116 8801 204 No Content (status code) 116 8802 205 Reset Content (status code) 117 8803 206 Partial Content (status code) 117 8804 2xx Successful (status code class) 114 8806 3 8807 300 Multiple Choices (status code) 122 8808 301 Moved Permanently (status code) 123 8809 302 Found (status code) 123 8810 303 See Other (status code) 124 8811 304 Not Modified (status code) 124 8812 305 Use Proxy (status code) 125 8813 306 (Unused) (status code) 125 8814 307 Temporary Redirect (status code) 125 8815 308 Permanent Redirect (status code) 126 8816 3xx Redirection (status code class) 120 8818 4 8819 400 Bad Request (status code) 126 8820 401 Unauthorized (status code) 126 8821 402 Payment Required (status code) 127 8822 403 Forbidden (status code) 127 8823 404 Not Found (status code) 127 8824 405 Method Not Allowed (status code) 128 8825 406 Not Acceptable (status code) 128 8826 407 Proxy Authentication Required (status code) 128 8827 408 Request Timeout (status code) 128 8828 409 Conflict (status code) 129 8829 410 Gone (status code) 129 8830 411 Length Required (status code) 129 8831 412 Precondition Failed (status code) 130 8832 413 Payload Too Large (status code) 130 8833 414 URI Too Long (status code) 130 8834 415 Unsupported Media Type (status code) 130 8835 416 Range Not Satisfiable (status code) 131 8836 417 Expectation Failed (status code) 131 8837 418 (Unused) (status code) 131 8838 422 Unprocessable Payload (status code) 132 8839 426 Upgrade Required (status code) 132 8840 4xx Client Error (status code class) 126 8842 5 8843 500 Internal Server Error (status code) 133 8844 501 Not Implemented (status code) 133 8845 502 Bad Gateway (status code) 133 8846 503 Service Unavailable (status code) 133 8847 504 Gateway Timeout (status code) 133 8848 505 HTTP Version Not Supported (status code) 133 8849 5xx Server Error (status code class) 132 8851 A 8852 Accept header field 97 8853 Accept-Charset header field 99 8854 Accept-Encoding header field 100 8855 Accept-Language header field 101 8856 Accept-Ranges header field 154 8857 Allow header field 154 8858 Authentication-Info header field 152 8859 Authorization header field 105 8860 accelerator 13 8861 authoritative response 158 8863 B 8864 browser 10 8866 C 8867 CONNECT method 76 8868 Canonical Root URI 104 8869 Content-Encoding header field 52 8870 Content-Language header field 53 8871 Content-Length header field 54 8872 Content-Location header field 55 8873 Content-MD5 header field 168 8874 Content-Range header field 59 8875 Content-Type header field 51 8876 cache 14 8877 cacheable 14 8878 captive portal 14 8879 client 10 8880 compress (Coding Format) 45 8881 compress (content coding) 44 8882 conditional request 84 8883 connection 10 8884 content coding 44 8885 content negotiation 9 8887 D 8888 DELETE method 75 8889 Date header field 138 8890 Delimiters 30 8891 deflate (Coding Format) 45 8892 deflate (content coding) 44 8893 downstream 12 8895 E 8896 ETag header field 146 8897 Expect header field 81 8898 effective request URI 36 8900 F 8901 Fragment Identifiers 20 8902 From header field 108 8904 G 8905 GET method 70 8906 Grammar 8907 absolute-path 15 8908 absolute-URI 15 8909 Accept 97 8910 Accept-Charset 99 8911 Accept-Encoding 100 8912 accept-ext 97 8913 Accept-Language 101 8914 accept-params 97 8915 Accept-Ranges 154 8916 acceptable-ranges 154 8917 Allow 154 8918 ALPHA 9 8919 asctime-date 137 8920 auth-param 103 8921 auth-scheme 103 8922 Authentication-Info 152 8923 authority 15 8924 Authorization 105 8925 BWS 156 8926 challenge 103 8927 charset 43 8928 codings 100 8929 comment 31 8930 complete-length 60 8931 content-coding 44 8932 Content-Encoding 52 8933 Content-Language 53 8934 Content-Length 54 8935 Content-Location 55 8936 Content-Range 60 8937 Content-Type 51 8938 CR 9 8939 credentials 104 8940 CRLF 9 8941 ctext 31 8942 CTL 9 8943 Date 138 8944 date1 137 8945 day 137 8946 day-name 137 8947 day-name-l 137 8948 delay-seconds 140 8949 DIGIT 9 8950 DQUOTE 9 8951 entity-tag 147 8952 ETag 147 8953 etagc 147 8954 Expect 81 8955 field-content 28 8956 field-name 25, 33 8957 field-value 28 8958 field-vchar 28 8959 first-pos 48, 60 8960 From 108 8961 GMT 137 8962 HEXDIG 9 8963 Host 37 8964 hour 137 8965 HTAB 9 8966 HTTP-date 136 8967 http-URI 16 8968 https-URI 18 8969 If-Match 88 8970 If-Modified-Since 90 8971 If-None-Match 89 8972 If-Range 93 8973 If-Unmodified-Since 91 8974 IMF-fixdate 137 8975 incl-range 60 8976 int-range 48 8977 language-range 101 8978 language-tag 46 8979 Last-Modified 144 8980 last-pos 48, 60 8981 LF 9 8982 Location 139 8983 Max-Forwards 83 8984 media-range 97 8985 media-type 42 8986 method 66 8987 minute 137 8988 month 137 8989 obs-date 137 8990 obs-text 30 8991 OCTET 9 8992 opaque-tag 147 8993 other-range 48 8994 OWS 156 8995 parameter 31 8996 parameter-name 31 8997 parameter-value 31 8998 partial-URI 15 8999 port 15 9000 product 110 9001 product-version 110 9002 protocol-name 39 9003 protocol-version 39 9004 Proxy-Authenticate 152 9005 Proxy-Authentication-Info 153 9006 Proxy-Authorization 105 9007 pseudonym 39 9008 qdtext 30 9009 query 15 9010 quoted-pair 31 9011 quoted-string 30 9012 qvalue 97 9013 Range 94 9014 range-resp 60 9015 range-set 48 9016 range-spec 48 9017 range-unit 47 9018 ranges-specifier 48 9019 received-by 39 9020 received-protocol 39 9021 Referer 109 9022 Retry-After 140 9023 rfc850-date 137 9024 RWS 156 9025 second 137 9026 segment 15 9027 Server 155 9028 SP 9 9029 subtype 42 9030 suffix-length 48 9031 suffix-range 48 9032 tchar 30 9033 time-of-day 137 9034 token 30 9035 token68 103 9036 Trailer 33 9037 type 42 9038 unsatisfied-range 60 9039 uri-host 15 9040 URI-reference 15 9041 User-Agent 110 9042 Vary 141 9043 VCHAR 9 9044 Via 39 9045 weak 147 9046 weight 97 9047 WWW-Authenticate 151 9048 year 137 9049 gateway 13 9050 gzip (Coding Format) 45 9051 gzip (content coding) 44 9053 H 9054 HEAD method 71 9055 Host header field 37 9056 http URI scheme 16 9057 https URI scheme 18 9059 I 9060 If-Match header field 88 9061 If-Modified-Since header field 90 9062 If-None-Match header field 89 9063 If-Range header field 93 9064 If-Unmodified-Since header field 91 9065 idempotent 69 9066 inbound 12 9067 interception proxy 14 9068 intermediary 12 9070 L 9071 Last-Modified header field 144 9072 Location header field 139 9074 M 9075 Max-Forwards header field 83 9076 Media Type 9077 multipart/byteranges 61 9078 multipart/x-byteranges 62 9079 message 11 9080 metadata 142 9081 multipart/byteranges Media Type 61 9082 multipart/x-byteranges Media Type 62 9084 N 9085 non-transforming proxy 40 9087 O 9088 OPTIONS method 78 9089 origin server 10 9090 outbound 12 9092 P 9093 POST method 72 9094 PUT method 73 9095 Protection Space 104 9096 Proxy-Authenticate header field 152 9097 Proxy-Authentication-Info header field 153 9098 Proxy-Authorization header field 105 9099 payload 57 9100 phishing 158 9101 proxy 13 9103 R 9104 Range header field 94 9105 Realm 104 9106 Referer header field 109 9107 Retry-After header field 140 9108 recipient 10 9109 representation 41 9110 request 11 9111 resource 15 9112 response 11 9113 reverse proxy 13 9115 S 9116 Server header field 155 9117 Status Codes Classes 9118 1xx Informational 113 9119 2xx Successful 114 9120 3xx Redirection 120 9121 4xx Client Error 126 9122 5xx Server Error 132 9123 safe 68 9124 selected representation 41, 84, 142 9125 sender 10 9126 server 10 9127 spider 10 9129 T 9130 TRACE method 79 9131 Trailer header field 33 9132 target URI 35 9133 target resource 35 9134 trailer fields 32 9135 trailers 32 9136 transforming proxy 40 9137 transparent proxy 14 9138 tunnel 13 9140 U 9141 URI scheme 9142 http 16 9143 https 18 9144 User-Agent header field 110 9145 upstream 12 9146 user agent 10 9148 V 9149 Vary header field 141 9150 Via header field 39 9151 validator 142 9152 strong 143 9153 weak 143 9155 W 9156 WWW-Authenticate header field 151 9158 X 9159 x-compress (content coding) 44 9160 x-gzip (content coding) 44 9162 Acknowledgments 9164 This edition of the HTTP specification builds on the many 9165 contributions that went into RFC 1945, RFC 2068, RFC 2145, RFC 2616, 9166 and RFC 2818, including substantial contributions made by the 9167 previous authors, editors, and Working Group Chairs: Tim Berners-Lee, 9168 Ari Luotonen, Roy T. Fielding, Henrik Frystyk Nielsen, Jim Gettys, 9169 Jeffrey C. Mogul, Larry Masinter, Paul J. Leach, Eric Rescorla, and 9170 Yves Lafon. 9172 See Section 10 of [RFC7230] for further acknowledgements from prior 9173 revisions. 9175 In addition, this document has reincorporated the HTTP Authentication 9176 Framework, previously defined in RFC 7235 and RFC 2617. We thank 9177 John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott 9178 D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart 9179 for their work on that specification. See Section 6 of [RFC2617] for 9180 further acknowledgements. 9182 [[newacks: New acks to be added here.]] 9184 Authors' Addresses 9186 Roy T. Fielding (editor) 9187 Adobe 9188 345 Park Ave 9189 San Jose, CA 95110 9190 United States of America 9192 EMail: fielding@gbiv.com 9193 URI: https://roy.gbiv.com/ 9195 Mark Nottingham (editor) 9196 Fastly 9198 EMail: mnot@mnot.net 9199 URI: https://www.mnot.net/ 9201 Julian F. Reschke (editor) 9202 greenbytes GmbH 9203 Hafenweg 16 9204 Muenster 48155 9205 Germany 9207 EMail: julian.reschke@greenbytes.de 9208 URI: https://greenbytes.de/tech/webdav/