idnits 2.17.1 draft-ietf-httpbis-semantics-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC7230, but the abstract doesn't seem to directly say this. It does mention RFC7230 though, so this could be OK. -- The abstract seems to indicate that this document obsoletes RFC7615, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7538, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC7694, but the header doesn't have an 'Obsoletes:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 11, 2020) is 1385 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2145' is defined on line 8462, but no explicit reference was found in the text == Unused Reference: 'RFC2818' is defined on line 8496, but no explicit reference was found in the text == Unused Reference: 'RFC7232' is defined on line 8566, but no explicit reference was found in the text == Unused Reference: 'RFC7233' is defined on line 8571, but no explicit reference was found in the text == Unused Reference: 'RFC7235' is defined on line 8576, but no explicit reference was found in the text == Unused Reference: 'RFC7615' is defined on line 8594, but no explicit reference was found in the text == Unused Reference: 'RFC7617' is defined on line 8604, but no explicit reference was found in the text == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-cache-09 -- Possible downref: Normative reference to a draft: ref. 'Caching' == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-messaging-09 -- Possible downref: Normative reference to a draft: ref. 'Messaging' ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 1950 ** Downref: Normative reference to an Informational RFC: RFC 1951 ** Downref: Normative reference to an Informational RFC: RFC 1952 -- Possible downref: Non-RFC (?) normative reference: ref. 'USASCII' -- Possible downref: Non-RFC (?) normative reference: ref. 'Welch' -- Duplicate reference: RFC2978, mentioned in 'Err5433', was also mentioned in 'Err1912'. -- Obsolete informational reference (is this intentional?): RFC 2068 (Obsoleted by RFC 2616) -- Obsolete informational reference (is this intentional?): RFC 2145 (Obsoleted by RFC 7230) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Duplicate reference: RFC2978, mentioned in 'RFC2978', was also mentioned in 'Err5433'. -- Obsolete informational reference (is this intentional?): RFC 6125 (Obsoleted by RFC 9525) -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) -- Obsolete informational reference (is this intentional?): RFC 7231 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7232 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7233 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7235 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7538 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7540 (Obsoleted by RFC 9113) -- Obsolete informational reference (is this intentional?): RFC 7615 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7694 (Obsoleted by RFC 9110) Summary: 4 errors (**), 0 flaws (~~), 11 warnings (==), 27 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group R. Fielding, Ed. 3 Internet-Draft Adobe 4 Obsoletes: 2818,7230,7231,7232,7233,7235 M. Nottingham, Ed. 5 ,7538,7615,7694 (if approved) Fastly 6 Intended status: Standards Track J. Reschke, Ed. 7 Expires: January 12, 2021 greenbytes 8 July 11, 2020 10 HTTP Semantics 11 draft-ietf-httpbis-semantics-09 13 Abstract 15 The Hypertext Transfer Protocol (HTTP) is a stateless application- 16 level protocol for distributed, collaborative, hypertext information 17 systems. This document defines the semantics of HTTP: its 18 architecture, terminology, the "http" and "https" Uniform Resource 19 Identifier (URI) schemes, core request methods, request header 20 fields, response status codes, response header fields, and content 21 negotiation. 23 This document obsoletes RFC 2818, RFC 7231, RFC 7232, RFC 7233, RFC 24 7235, RFC 7538, RFC 7615, RFC 7694, and portions of RFC 7230. 26 Editorial Note 28 This note is to be removed before publishing as an RFC. 30 Discussion of this draft takes place on the HTTP working group 31 mailing list (ietf-http-wg@w3.org), which is archived at 32 . 34 Working Group information can be found at ; 35 source code and issues list for this draft can be found at 36 . 38 The changes in this draft are summarized in Appendix D.10. 40 Status of This Memo 42 This Internet-Draft is submitted in full conformance with the 43 provisions of BCP 78 and BCP 79. 45 Internet-Drafts are working documents of the Internet Engineering 46 Task Force (IETF). Note that other groups may also distribute 47 working documents as Internet-Drafts. The list of current Internet- 48 Drafts is at https://datatracker.ietf.org/drafts/current/. 50 Internet-Drafts are draft documents valid for a maximum of six months 51 and may be updated, replaced, or obsoleted by other documents at any 52 time. It is inappropriate to use Internet-Drafts as reference 53 material or to cite them other than as "work in progress." 55 This Internet-Draft will expire on January 12, 2021. 57 Copyright Notice 59 Copyright (c) 2020 IETF Trust and the persons identified as the 60 document authors. All rights reserved. 62 This document is subject to BCP 78 and the IETF Trust's Legal 63 Provisions Relating to IETF Documents 64 (https://trustee.ietf.org/license-info) in effect on the date of 65 publication of this document. Please review these documents 66 carefully, as they describe your rights and restrictions with respect 67 to this document. Code Components extracted from this document must 68 include Simplified BSD License text as described in Section 4.e of 69 the Trust Legal Provisions and are provided without warranty as 70 described in the Simplified BSD License. 72 This document may contain material from IETF Documents or IETF 73 Contributions published or made publicly available before November 74 10, 2008. The person(s) controlling the copyright in some of this 75 material may not have granted the IETF Trust the right to allow 76 modifications of such material outside the IETF Standards Process. 77 Without obtaining an adequate license from the person(s) controlling 78 the copyright in such materials, this document may not be modified 79 outside the IETF Standards Process, and derivative works of it may 80 not be created outside the IETF Standards Process, except to format 81 it for publication as an RFC or to translate it into languages other 82 than English. 84 Table of Contents 86 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 8 87 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 9 88 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 10 89 1.2.1. Whitespace . . . . . . . . . . . . . . . . . . . . . 10 90 2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 11 91 2.1. Client/Server Messaging . . . . . . . . . . . . . . . . . 11 92 2.2. Intermediaries . . . . . . . . . . . . . . . . . . . . . 13 93 2.3. Caches . . . . . . . . . . . . . . . . . . . . . . . . . 15 94 2.4. Uniform Resource Identifiers . . . . . . . . . . . . . . 16 95 2.5. Resources . . . . . . . . . . . . . . . . . . . . . . . . 17 96 2.5.1. http URI Scheme . . . . . . . . . . . . . . . . . . . 18 97 2.5.2. https URI Scheme . . . . . . . . . . . . . . . . . . 18 98 2.5.3. http and https URI Normalization and Comparison . . . 19 99 2.5.4. Deprecated userinfo . . . . . . . . . . . . . . . . . 20 100 2.5.5. Fragment Identifiers on http(s) URI References . . . 20 101 3. Conformance . . . . . . . . . . . . . . . . . . . . . . . . . 21 102 3.1. Implementation Diversity . . . . . . . . . . . . . . . . 21 103 3.2. Role-based Requirements . . . . . . . . . . . . . . . . . 21 104 3.3. Parsing Elements . . . . . . . . . . . . . . . . . . . . 22 105 3.4. Error Handling . . . . . . . . . . . . . . . . . . . . . 23 106 4. Extending and Versioning HTTP . . . . . . . . . . . . . . . . 23 107 4.1. Extending HTTP . . . . . . . . . . . . . . . . . . . . . 23 108 4.2. Protocol Versioning . . . . . . . . . . . . . . . . . . . 24 109 5. Header and Trailer Fields . . . . . . . . . . . . . . . . . . 25 110 5.1. Field Ordering and Combination . . . . . . . . . . . . . 26 111 5.2. Field Limits . . . . . . . . . . . . . . . . . . . . . . 27 112 5.3. Field Names . . . . . . . . . . . . . . . . . . . . . . . 28 113 5.3.1. Field Extensibility . . . . . . . . . . . . . . . . . 28 114 5.3.2. Field Name Registry . . . . . . . . . . . . . . . . . 29 115 5.4. Field Values . . . . . . . . . . . . . . . . . . . . . . 30 116 5.4.1. Common Field Value Components . . . . . . . . . . . . 31 117 5.5. ABNF List Extension: #rule . . . . . . . . . . . . . . . 35 118 5.5.1. Sender Requirements . . . . . . . . . . . . . . . . . 35 119 5.5.2. Recipient Requirements . . . . . . . . . . . . . . . 36 120 5.6. Trailer Fields . . . . . . . . . . . . . . . . . . . . . 36 121 5.6.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . 36 122 5.6.2. Limitations . . . . . . . . . . . . . . . . . . . . . 37 123 5.6.3. Trailer . . . . . . . . . . . . . . . . . . . . . . . 37 124 5.7. Considerations for New HTTP Fields . . . . . . . . . . . 38 125 5.8. Fields Defined In This Document . . . . . . . . . . . . . 39 126 6. Message Routing . . . . . . . . . . . . . . . . . . . . . . . 41 127 6.1. Identifying a Target Resource . . . . . . . . . . . . . . 41 128 6.2. Determining Origin . . . . . . . . . . . . . . . . . . . 42 129 6.3. Routing Inbound . . . . . . . . . . . . . . . . . . . . . 42 130 6.4. Direct Authoritative Access . . . . . . . . . . . . . . . 43 131 6.4.1. http origins . . . . . . . . . . . . . . . . . . . . 43 132 6.4.2. https origins . . . . . . . . . . . . . . . . . . . . 44 133 6.4.3. Initiating HTTP Over TLS . . . . . . . . . . . . . . 45 134 6.5. Reconstructing the Target URI . . . . . . . . . . . . . . 47 135 6.6. Host . . . . . . . . . . . . . . . . . . . . . . . . . . 48 136 6.7. Message Forwarding . . . . . . . . . . . . . . . . . . . 48 137 6.7.1. Via . . . . . . . . . . . . . . . . . . . . . . . . . 49 138 6.7.2. Transformations . . . . . . . . . . . . . . . . . . . 51 139 7. Representations . . . . . . . . . . . . . . . . . . . . . . . 52 140 7.1. Representation Data . . . . . . . . . . . . . . . . . . . 52 141 7.1.1. Media Type . . . . . . . . . . . . . . . . . . . . . 53 142 7.1.2. Content Codings . . . . . . . . . . . . . . . . . . . 55 143 7.1.3. Language Tags . . . . . . . . . . . . . . . . . . . . 57 144 7.1.4. Range Units . . . . . . . . . . . . . . . . . . . . . 57 145 7.2. Representation Metadata . . . . . . . . . . . . . . . . . 61 146 7.2.1. Content-Type . . . . . . . . . . . . . . . . . . . . 62 147 7.2.2. Content-Encoding . . . . . . . . . . . . . . . . . . 63 148 7.2.3. Content-Language . . . . . . . . . . . . . . . . . . 64 149 7.2.4. Content-Length . . . . . . . . . . . . . . . . . . . 64 150 7.2.5. Content-Location . . . . . . . . . . . . . . . . . . 66 151 7.3. Payload . . . . . . . . . . . . . . . . . . . . . . . . . 68 152 7.3.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . 68 153 7.3.2. Identification . . . . . . . . . . . . . . . . . . . 68 154 7.3.3. Payload Body . . . . . . . . . . . . . . . . . . . . 69 155 7.3.4. Content-Range . . . . . . . . . . . . . . . . . . . . 70 156 7.3.5. Media Type multipart/byteranges . . . . . . . . . . . 72 157 7.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 74 158 7.4.1. Proactive Negotiation . . . . . . . . . . . . . . . . 75 159 7.4.2. Reactive Negotiation . . . . . . . . . . . . . . . . 76 160 7.4.3. Request Payload Negotiation . . . . . . . . . . . . . 77 161 7.4.4. Quality Values . . . . . . . . . . . . . . . . . . . 77 162 8. Request Methods . . . . . . . . . . . . . . . . . . . . . . . 77 163 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 77 164 8.2. Common Method Properties . . . . . . . . . . . . . . . . 79 165 8.2.1. Safe Methods . . . . . . . . . . . . . . . . . . . . 80 166 8.2.2. Idempotent Methods . . . . . . . . . . . . . . . . . 81 167 8.2.3. Methods and Caching . . . . . . . . . . . . . . . . . 82 168 8.3. Method Definitions . . . . . . . . . . . . . . . . . . . 82 169 8.3.1. GET . . . . . . . . . . . . . . . . . . . . . . . . . 82 170 8.3.2. HEAD . . . . . . . . . . . . . . . . . . . . . . . . 83 171 8.3.3. POST . . . . . . . . . . . . . . . . . . . . . . . . 84 172 8.3.4. PUT . . . . . . . . . . . . . . . . . . . . . . . . . 85 173 8.3.5. DELETE . . . . . . . . . . . . . . . . . . . . . . . 87 174 8.3.6. CONNECT . . . . . . . . . . . . . . . . . . . . . . . 88 175 8.3.7. OPTIONS . . . . . . . . . . . . . . . . . . . . . . . 90 176 8.3.8. TRACE . . . . . . . . . . . . . . . . . . . . . . . . 91 177 8.4. Method Extensibility . . . . . . . . . . . . . . . . . . 91 178 8.4.1. Method Registry . . . . . . . . . . . . . . . . . . . 92 179 8.4.2. Considerations for New Methods . . . . . . . . . . . 92 180 9. Request Header Fields . . . . . . . . . . . . . . . . . . . . 93 181 9.1. Controls . . . . . . . . . . . . . . . . . . . . . . . . 93 182 9.1.1. Expect . . . . . . . . . . . . . . . . . . . . . . . 93 183 9.1.2. Max-Forwards . . . . . . . . . . . . . . . . . . . . 96 184 9.2. Preconditions . . . . . . . . . . . . . . . . . . . . . . 96 185 9.2.1. Evaluation . . . . . . . . . . . . . . . . . . . . . 97 186 9.2.2. Precedence . . . . . . . . . . . . . . . . . . . . . 98 187 9.2.3. If-Match . . . . . . . . . . . . . . . . . . . . . . 100 188 9.2.4. If-None-Match . . . . . . . . . . . . . . . . . . . . 101 189 9.2.5. If-Modified-Since . . . . . . . . . . . . . . . . . . 103 190 9.2.6. If-Unmodified-Since . . . . . . . . . . . . . . . . . 104 191 9.2.7. If-Range . . . . . . . . . . . . . . . . . . . . . . 105 192 9.3. Range . . . . . . . . . . . . . . . . . . . . . . . . . . 106 193 9.4. Negotiation . . . . . . . . . . . . . . . . . . . . . . . 108 194 9.4.1. Accept . . . . . . . . . . . . . . . . . . . . . . . 109 195 9.4.2. Accept-Charset . . . . . . . . . . . . . . . . . . . 111 196 9.4.3. Accept-Encoding . . . . . . . . . . . . . . . . . . . 112 197 9.4.4. Accept-Language . . . . . . . . . . . . . . . . . . . 114 198 9.5. Authentication Credentials . . . . . . . . . . . . . . . 115 199 9.5.1. Challenge and Response . . . . . . . . . . . . . . . 115 200 9.5.2. Protection Space (Realm) . . . . . . . . . . . . . . 117 201 9.5.3. Authorization . . . . . . . . . . . . . . . . . . . . 118 202 9.5.4. Proxy-Authorization . . . . . . . . . . . . . . . . . 118 203 9.5.5. Authentication Scheme Extensibility . . . . . . . . . 118 204 9.6. Request Context . . . . . . . . . . . . . . . . . . . . . 121 205 9.6.1. From . . . . . . . . . . . . . . . . . . . . . . . . 121 206 9.6.2. Referer . . . . . . . . . . . . . . . . . . . . . . . 122 207 9.6.3. User-Agent . . . . . . . . . . . . . . . . . . . . . 123 208 10. Response Status Codes . . . . . . . . . . . . . . . . . . . . 124 209 10.1. Overview of Status Codes . . . . . . . . . . . . . . . . 125 210 10.2. Informational 1xx . . . . . . . . . . . . . . . . . . . 126 211 10.2.1. 100 Continue . . . . . . . . . . . . . . . . . . . . 127 212 10.2.2. 101 Switching Protocols . . . . . . . . . . . . . . 127 213 10.3. Successful 2xx . . . . . . . . . . . . . . . . . . . . . 127 214 10.3.1. 200 OK . . . . . . . . . . . . . . . . . . . . . . . 127 215 10.3.2. 201 Created . . . . . . . . . . . . . . . . . . . . 128 216 10.3.3. 202 Accepted . . . . . . . . . . . . . . . . . . . . 128 217 10.3.4. 203 Non-Authoritative Information . . . . . . . . . 129 218 10.3.5. 204 No Content . . . . . . . . . . . . . . . . . . . 129 219 10.3.6. 205 Reset Content . . . . . . . . . . . . . . . . . 130 220 10.3.7. 206 Partial Content . . . . . . . . . . . . . . . . 130 221 10.4. Redirection 3xx . . . . . . . . . . . . . . . . . . . . 133 222 10.4.1. 300 Multiple Choices . . . . . . . . . . . . . . . . 135 223 10.4.2. 301 Moved Permanently . . . . . . . . . . . . . . . 136 224 10.4.3. 302 Found . . . . . . . . . . . . . . . . . . . . . 136 225 10.4.4. 303 See Other . . . . . . . . . . . . . . . . . . . 137 226 10.4.5. 304 Not Modified . . . . . . . . . . . . . . . . . . 137 227 10.4.6. 305 Use Proxy . . . . . . . . . . . . . . . . . . . 138 228 10.4.7. 306 (Unused) . . . . . . . . . . . . . . . . . . . . 138 229 10.4.8. 307 Temporary Redirect . . . . . . . . . . . . . . . 138 230 10.4.9. 308 Permanent Redirect . . . . . . . . . . . . . . . 139 231 10.5. Client Error 4xx . . . . . . . . . . . . . . . . . . . . 139 232 10.5.1. 400 Bad Request . . . . . . . . . . . . . . . . . . 139 233 10.5.2. 401 Unauthorized . . . . . . . . . . . . . . . . . . 139 234 10.5.3. 402 Payment Required . . . . . . . . . . . . . . . . 140 235 10.5.4. 403 Forbidden . . . . . . . . . . . . . . . . . . . 140 236 10.5.5. 404 Not Found . . . . . . . . . . . . . . . . . . . 140 237 10.5.6. 405 Method Not Allowed . . . . . . . . . . . . . . . 141 238 10.5.7. 406 Not Acceptable . . . . . . . . . . . . . . . . . 141 239 10.5.8. 407 Proxy Authentication Required . . . . . . . . . 141 240 10.5.9. 408 Request Timeout . . . . . . . . . . . . . . . . 141 241 10.5.10. 409 Conflict . . . . . . . . . . . . . . . . . . . . 142 242 10.5.11. 410 Gone . . . . . . . . . . . . . . . . . . . . . . 142 243 10.5.12. 411 Length Required . . . . . . . . . . . . . . . . 142 244 10.5.13. 412 Precondition Failed . . . . . . . . . . . . . . 143 245 10.5.14. 413 Payload Too Large . . . . . . . . . . . . . . . 143 246 10.5.15. 414 URI Too Long . . . . . . . . . . . . . . . . . . 143 247 10.5.16. 415 Unsupported Media Type . . . . . . . . . . . . . 143 248 10.5.17. 416 Range Not Satisfiable . . . . . . . . . . . . . 144 249 10.5.18. 417 Expectation Failed . . . . . . . . . . . . . . . 144 250 10.5.19. 418 (Unused) . . . . . . . . . . . . . . . . . . . . 145 251 10.5.20. 422 Unprocessable Payload . . . . . . . . . . . . . 145 252 10.5.21. 426 Upgrade Required . . . . . . . . . . . . . . . . 145 253 10.6. Server Error 5xx . . . . . . . . . . . . . . . . . . . . 145 254 10.6.1. 500 Internal Server Error . . . . . . . . . . . . . 146 255 10.6.2. 501 Not Implemented . . . . . . . . . . . . . . . . 146 256 10.6.3. 502 Bad Gateway . . . . . . . . . . . . . . . . . . 146 257 10.6.4. 503 Service Unavailable . . . . . . . . . . . . . . 146 258 10.6.5. 504 Gateway Timeout . . . . . . . . . . . . . . . . 146 259 10.6.6. 505 HTTP Version Not Supported . . . . . . . . . . . 147 260 10.7. Status Code Extensibility . . . . . . . . . . . . . . . 147 261 10.7.1. Status Code Registry . . . . . . . . . . . . . . . . 147 262 10.7.2. Considerations for New Status Codes . . . . . . . . 147 263 11. Response Header Fields . . . . . . . . . . . . . . . . . . . 148 264 11.1. Control Data . . . . . . . . . . . . . . . . . . . . . . 149 265 11.1.1. Date . . . . . . . . . . . . . . . . . . . . . . . . 149 266 11.1.2. Location . . . . . . . . . . . . . . . . . . . . . . 150 267 11.1.3. Retry-After . . . . . . . . . . . . . . . . . . . . 151 268 11.1.4. Vary . . . . . . . . . . . . . . . . . . . . . . . . 152 269 11.2. Validators . . . . . . . . . . . . . . . . . . . . . . . 153 270 11.2.1. Weak versus Strong . . . . . . . . . . . . . . . . . 154 271 11.2.2. Last-Modified . . . . . . . . . . . . . . . . . . . 155 272 11.2.3. ETag . . . . . . . . . . . . . . . . . . . . . . . . 157 273 11.2.4. When to Use Entity-Tags and Last-Modified Dates . . 161 274 11.3. Authentication Challenges . . . . . . . . . . . . . . . 161 275 11.3.1. WWW-Authenticate . . . . . . . . . . . . . . . . . . 162 276 11.3.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . 163 277 11.3.3. Authentication-Info . . . . . . . . . . . . . . . . 163 278 11.3.4. Proxy-Authentication-Info . . . . . . . . . . . . . 164 279 11.4. Response Context . . . . . . . . . . . . . . . . . . . . 165 280 11.4.1. Accept-Ranges . . . . . . . . . . . . . . . . . . . 165 281 11.4.2. Allow . . . . . . . . . . . . . . . . . . . . . . . 165 282 11.4.3. Server . . . . . . . . . . . . . . . . . . . . . . . 166 283 12. Security Considerations . . . . . . . . . . . . . . . . . . . 167 284 12.1. Establishing Authority . . . . . . . . . . . . . . . . . 167 285 12.2. Risks of Intermediaries . . . . . . . . . . . . . . . . 168 286 12.3. Attacks Based on File and Path Names . . . . . . . . . . 169 287 12.4. Attacks Based on Command, Code, or Query Injection . . . 169 288 12.5. Attacks via Protocol Element Length . . . . . . . . . . 170 289 12.6. Disclosure of Personal Information . . . . . . . . . . . 170 290 12.7. Privacy of Server Log Information . . . . . . . . . . . 170 291 12.8. Disclosure of Sensitive Information in URIs . . . . . . 171 292 12.9. Disclosure of Fragment after Redirects . . . . . . . . . 171 293 12.10. Disclosure of Product Information . . . . . . . . . . . 172 294 12.11. Browser Fingerprinting . . . . . . . . . . . . . . . . . 172 295 12.12. Validator Retention . . . . . . . . . . . . . . . . . . 173 296 12.13. Denial-of-Service Attacks Using Range . . . . . . . . . 174 297 12.14. Authentication Considerations . . . . . . . . . . . . . 174 298 12.14.1. Confidentiality of Credentials . . . . . . . . . . 174 299 12.14.2. Credentials and Idle Clients . . . . . . . . . . . 175 300 12.14.3. Protection Spaces . . . . . . . . . . . . . . . . . 175 301 12.14.4. Additional Response Fields . . . . . . . . . . . . 176 302 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 176 303 13.1. URI Scheme Registration . . . . . . . . . . . . . . . . 176 304 13.2. Method Registration . . . . . . . . . . . . . . . . . . 176 305 13.3. Status Code Registration . . . . . . . . . . . . . . . . 176 306 13.4. HTTP Field Name Registration . . . . . . . . . . . . . . 177 307 13.5. Authentication Scheme Registration . . . . . . . . . . . 177 308 13.6. Content Coding Registration . . . . . . . . . . . . . . 178 309 13.7. Range Unit Registration . . . . . . . . . . . . . . . . 178 310 13.8. Media Type Registration . . . . . . . . . . . . . . . . 178 311 13.9. Port Registration . . . . . . . . . . . . . . . . . . . 178 312 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 178 313 14.1. Normative References . . . . . . . . . . . . . . . . . . 178 314 14.2. Informative References . . . . . . . . . . . . . . . . . 180 315 Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 187 316 Appendix B. Changes from previous RFCs . . . . . . . . . . . . . 191 317 B.1. Changes from RFC 2818 . . . . . . . . . . . . . . . . . . 191 318 B.2. Changes from RFC 7230 . . . . . . . . . . . . . . . . . . 191 319 B.3. Changes from RFC 7231 . . . . . . . . . . . . . . . . . . 192 320 B.4. Changes from RFC 7232 . . . . . . . . . . . . . . . . . . 193 321 B.5. Changes from RFC 7233 . . . . . . . . . . . . . . . . . . 193 322 B.6. Changes from RFC 7235 . . . . . . . . . . . . . . . . . . 193 323 B.7. Changes from RFC 7538 . . . . . . . . . . . . . . . . . . 193 324 B.8. Changes from RFC 7615 . . . . . . . . . . . . . . . . . . 193 325 Appendix C. Changes from RFC 7694 . . . . . . . . . . . . . . . 193 326 Appendix D. Change Log . . . . . . . . . . . . . . . . . . . . . 193 327 D.1. Between RFC723x and draft 00 . . . . . . . . . . . . . . 194 328 D.2. Since draft-ietf-httpbis-semantics-00 . . . . . . . . . . 194 329 D.3. Since draft-ietf-httpbis-semantics-01 . . . . . . . . . . 195 330 D.4. Since draft-ietf-httpbis-semantics-02 . . . . . . . . . . 196 331 D.5. Since draft-ietf-httpbis-semantics-03 . . . . . . . . . . 197 332 D.6. Since draft-ietf-httpbis-semantics-04 . . . . . . . . . . 198 333 D.7. Since draft-ietf-httpbis-semantics-05 . . . . . . . . . . 198 334 D.8. Since draft-ietf-httpbis-semantics-06 . . . . . . . . . . 199 335 D.9. Since draft-ietf-httpbis-semantics-07 . . . . . . . . . . 201 336 D.10. Since draft-ietf-httpbis-semantics-08 . . . . . . . . . . 202 337 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 338 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 213 339 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 214 341 1. Introduction 343 The Hypertext Transfer Protocol (HTTP) is a stateless application- 344 level request/response protocol that uses extensible semantics and 345 self-descriptive messages for flexible interaction with network-based 346 hypertext information systems. HTTP is defined by a series of 347 documents that collectively form the HTTP/1.1 specification: 349 o "HTTP Semantics" (this document) 351 o "HTTP Caching" [Caching] 353 o "HTTP/1.1 Messaging" [Messaging] 355 HTTP is a generic interface protocol for information systems. It is 356 designed to hide the details of how a service is implemented by 357 presenting a uniform interface to clients that is independent of the 358 types of resources provided. Likewise, servers do not need to be 359 aware of each client's purpose: an HTTP request can be considered in 360 isolation rather than being associated with a specific type of client 361 or a predetermined sequence of application steps. The result is a 362 protocol that can be used effectively in many different contexts and 363 for which implementations can evolve independently over time. 365 HTTP is also designed for use as an intermediation protocol for 366 translating communication to and from non-HTTP information systems. 367 HTTP proxies and gateways can provide access to alternative 368 information services by translating their diverse protocols into a 369 hypertext format that can be viewed and manipulated by clients in the 370 same way as HTTP services. 372 One consequence of this flexibility is that the protocol cannot be 373 defined in terms of what occurs behind the interface. Instead, we 374 are limited to defining the syntax of communication, the intent of 375 received communication, and the expected behavior of recipients. If 376 the communication is considered in isolation, then successful actions 377 ought to be reflected in corresponding changes to the observable 378 interface provided by servers. However, since multiple clients might 379 act in parallel and perhaps at cross-purposes, we cannot require that 380 such changes be observable beyond the scope of a single response. 382 Each HTTP message is either a request or a response. A server 383 listens on a connection for a request, parses each message received, 384 interprets the message semantics in relation to the identified target 385 resource, and responds to that request with one or more response 386 messages. A client constructs request messages to communicate 387 specific intentions, examines received responses to see if the 388 intentions were carried out, and determines how to interpret the 389 results. 391 HTTP provides a uniform interface for interacting with a resource 392 (Section 2.5), regardless of its type, nature, or implementation, via 393 the manipulation and transfer of representations (Section 7). 395 This document defines semantics that are common to all versions of 396 HTTP. HTTP semantics include the intentions defined by each request 397 method (Section 8), extensions to those semantics that might be 398 described in request header fields (Section 9), the meaning of status 399 codes to indicate a machine-readable response (Section 10), and the 400 meaning of other control data and resource metadata that might be 401 given in response header fields (Section 11). 403 This document also defines representation metadata that describe how 404 a payload is intended to be interpreted by a recipient, the request 405 header fields that might influence content selection, and the various 406 selection algorithms that are collectively referred to as "content 407 negotiation" (Section 7.4). 409 This document defines HTTP range requests, partial responses, and the 410 multipart/byteranges media type. 412 This document obsoletes the portions of RFC 7230 that are independent 413 of the HTTP/1.1 messaging syntax and connection management, with the 414 changes being summarized in Appendix B.2. The other parts of RFC 415 7230 are obsoleted by "HTTP/1.1 Messaging" [Messaging]. This 416 document also obsoletes RFC 2818 (see Appendix B.1), RFC 7231 (see 417 Appendix B.3), RFC 7232 (see Appendix B.4), RFC 7233 (see 418 Appendix B.5), RFC 7235 (see Appendix B.6), RFC 7538 (see 419 Appendix B.7), RFC 7615 (see Appendix B.8), and RFC 7694 (see 420 Appendix C). 422 1.1. Requirements Notation 424 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 425 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 426 "OPTIONAL" in this document are to be interpreted as described in BCP 427 14 [RFC2119] [RFC8174] when, and only when, they appear in all 428 capitals, as shown here. 430 Conformance criteria and considerations regarding error handling are 431 defined in Section 3. 433 1.2. Syntax Notation 435 This specification uses the Augmented Backus-Naur Form (ABNF) 436 notation of [RFC5234], extended with the notation for case- 437 sensitivity in strings defined in [RFC7405]. 439 It also uses a list extension, defined in Section 5.5, that allows 440 for compact definition of comma-separated lists using a '#' operator 441 (similar to how the '*' operator indicates repetition). Appendix A 442 shows the collected grammar with all list operators expanded to 443 standard ABNF notation. 445 As a convention, ABNF rule names prefixed with "obs-" denote 446 "obsolete" grammar rules that appear for historical reasons. 448 The following core rules are included by reference, as defined in 449 Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return), 450 CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double 451 quote), HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF 452 (line feed), OCTET (any 8-bit sequence of data), SP (space), and 453 VCHAR (any visible US-ASCII character). 455 Section 5.4.1 defines some generic syntactic components for field 456 values. 458 The rules below are defined in [Messaging]: 460 protocol-name = 461 protocol-version = 463 This specification uses the terms "character", "character encoding 464 scheme", "charset", and "protocol element" as they are defined in 465 [RFC6365]. 467 1.2.1. Whitespace 469 This specification uses three rules to denote the use of linear 470 whitespace: OWS (optional whitespace), RWS (required whitespace), and 471 BWS ("bad" whitespace). 473 The OWS rule is used where zero or more linear whitespace octets 474 might appear. For protocol elements where optional whitespace is 475 preferred to improve readability, a sender SHOULD generate the 476 optional whitespace as a single SP; otherwise, a sender SHOULD NOT 477 generate optional whitespace except as needed to white out invalid or 478 unwanted protocol elements during in-place message filtering. 480 The RWS rule is used when at least one linear whitespace octet is 481 required to separate field tokens. A sender SHOULD generate RWS as a 482 single SP. 484 OWS and RWS have the same semantics as a single SP. Any content 485 known to be defined as OWS or RWS MAY be replaced with a single SP 486 before interpreting it or forwarding the message downstream. 488 The BWS rule is used where the grammar allows optional whitespace 489 only for historical reasons. A sender MUST NOT generate BWS in 490 messages. A recipient MUST parse for such bad whitespace and remove 491 it before interpreting the protocol element. 493 BWS has no semantics. Any content known to be defined as BWS MAY be 494 removed before interpreting it or forwarding the message downstream. 496 OWS = *( SP / HTAB ) 497 ; optional whitespace 498 RWS = 1*( SP / HTAB ) 499 ; required whitespace 500 BWS = OWS 501 ; "bad" whitespace 503 2. Architecture 505 HTTP was created for the World Wide Web (WWW) architecture and has 506 evolved over time to support the scalability needs of a worldwide 507 hypertext system. Much of that architecture is reflected in the 508 terminology and syntax productions used to define HTTP. 510 2.1. Client/Server Messaging 512 HTTP is a stateless request/response protocol that operates by 513 exchanging messages across a reliable transport- or session-layer 514 "connection". An HTTP "client" is a program that establishes a 515 connection to a server for the purpose of sending one or more HTTP 516 requests. An HTTP "server" is a program that accepts connections in 517 order to service HTTP requests by sending HTTP responses. 519 The terms "client" and "server" refer only to the roles that these 520 programs perform for a particular connection. The same program might 521 act as a client on some connections and a server on others. The term 522 "user agent" refers to any of the various client programs that 523 initiate a request, including (but not limited to) browsers, spiders 524 (web-based robots), command-line tools, custom applications, and 525 mobile apps. The term "origin server" refers to the program that can 526 originate authoritative responses for a given target resource. The 527 terms "sender" and "recipient" refer to any implementation that sends 528 or receives a given message, respectively. 530 HTTP relies upon the Uniform Resource Identifier (URI) standard 531 [RFC3986] to indicate the target resource (Section 6.1) and 532 relationships between resources. 534 Most HTTP communication consists of a retrieval request (GET) for a 535 representation of some resource identified by a URI. In the simplest 536 case, this might be accomplished via a single bidirectional 537 connection (===) between the user agent (UA) and the origin server 538 (O). 540 request > 541 UA ======================================= O 542 < response 544 Each major version of HTTP defines its own syntax for the inclusion 545 of information in messages. Nevertheless, a common abstraction is 546 that a message includes some form of envelope/framing, a potential 547 set of named fields up front (a header section), a potential body, 548 and a potential following set of named fields (a trailer section). 550 A client sends an HTTP request to a server in the form of a request 551 message with a method (Section 8) and request target. The request 552 might also contain header fields for request modifiers, client 553 information, and representation metadata (Section 5), a payload body 554 (Section 7.3.3) to be processed in accordance with the method, and 555 trailer fields for metadata collected while sending the payload. 557 A server responds to a client's request by sending one or more HTTP 558 response messages, each including a success or error code 559 (Section 10). The response might also contain header fields for 560 server information, resource metadata, and representation metadata 561 (Section 5), a payload body (Section 7.3.3) to be interpreted in 562 accordance with the status code, and trailer fields for metadata 563 collected while sending the payload. 565 One of the functions of the message framing mechanism is to assure 566 that messages are complete. A message is considered complete when 567 all of the octets indicated by its framing are available. Note that, 568 when no explicit framing is used, a response message that is ended by 569 the transport connection's close is considered complete even though 570 it might be indistinguishable from an incomplete response, unless a 571 transport-level error indicates that it is not complete. 573 A connection might be used for multiple request/response exchanges. 574 The mechanism used to correlate between request and response messages 575 is version dependent; some versions of HTTP use implicit ordering of 576 messages, while others use an explicit identifier. 578 Responses (both final and interim) can be sent at any time after a 579 request is received, even if it is not yet complete. However, 580 clients (including intermediaries) might abandon a request if the 581 response is not forthcoming within a reasonable period of time. 583 The following example illustrates a typical message exchange for a 584 GET request (Section 8.3.1) on the URI "http://www.example.com/ 585 hello.txt": 587 Client request: 589 GET /hello.txt HTTP/1.1 590 User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3 591 Host: www.example.com 592 Accept-Language: en, mi 594 Server response: 596 HTTP/1.1 200 OK 597 Date: Mon, 27 Jul 2009 12:28:53 GMT 598 Server: Apache 599 Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT 600 ETag: "34aa387-d-1568eb00" 601 Accept-Ranges: bytes 602 Content-Length: 51 603 Vary: Accept-Encoding 604 Content-Type: text/plain 606 Hello World! My payload includes a trailing CRLF. 608 2.2. Intermediaries 610 HTTP enables the use of intermediaries to satisfy requests through a 611 chain of connections. There are three common forms of HTTP 612 intermediary: proxy, gateway, and tunnel. In some cases, a single 613 intermediary might act as an origin server, proxy, gateway, or 614 tunnel, switching behavior based on the nature of each request. 616 > > > > 617 UA =========== A =========== B =========== C =========== O 618 < < < < 620 The figure above shows three intermediaries (A, B, and C) between the 621 user agent and origin server. A request or response message that 622 travels the whole chain will pass through four separate connections. 623 Some HTTP communication options might apply only to the connection 624 with the nearest, non-tunnel neighbor, only to the endpoints of the 625 chain, or to all connections along the chain. Although the diagram 626 is linear, each participant might be engaged in multiple, 627 simultaneous communications. For example, B might be receiving 628 requests from many clients other than A, and/or forwarding requests 629 to servers other than C, at the same time that it is handling A's 630 request. Likewise, later requests might be sent through a different 631 path of connections, often based on dynamic configuration for load 632 balancing. 634 The terms "upstream" and "downstream" are used to describe 635 directional requirements in relation to the message flow: all 636 messages flow from upstream to downstream. The terms "inbound" and 637 "outbound" are used to describe directional requirements in relation 638 to the request route: "inbound" means toward the origin server and 639 "outbound" means toward the user agent. 641 A "proxy" is a message-forwarding agent that is selected by the 642 client, usually via local configuration rules, to receive requests 643 for some type(s) of absolute URI and attempt to satisfy those 644 requests via translation through the HTTP interface. Some 645 translations are minimal, such as for proxy requests for "http" URIs, 646 whereas other requests might require translation to and from entirely 647 different application-level protocols. Proxies are often used to 648 group an organization's HTTP requests through a common intermediary 649 for the sake of security, annotation services, or shared caching. 650 Some proxies are designed to apply transformations to selected 651 messages or payloads while they are being forwarded, as described in 652 Section 6.7.2. 654 A "gateway" (a.k.a. "reverse proxy") is an intermediary that acts as 655 an origin server for the outbound connection but translates received 656 requests and forwards them inbound to another server or servers. 657 Gateways are often used to encapsulate legacy or untrusted 658 information services, to improve server performance through 659 "accelerator" caching, and to enable partitioning or load balancing 660 of HTTP services across multiple machines. 662 All HTTP requirements applicable to an origin server also apply to 663 the outbound communication of a gateway. A gateway communicates with 664 inbound servers using any protocol that it desires, including private 665 extensions to HTTP that are outside the scope of this specification. 666 However, an HTTP-to-HTTP gateway that wishes to interoperate with 667 third-party HTTP servers ought to conform to user agent requirements 668 on the gateway's inbound connection. 670 A "tunnel" acts as a blind relay between two connections without 671 changing the messages. Once active, a tunnel is not considered a 672 party to the HTTP communication, though the tunnel might have been 673 initiated by an HTTP request. A tunnel ceases to exist when both 674 ends of the relayed connection are closed. Tunnels are used to 675 extend a virtual connection through an intermediary, such as when 676 Transport Layer Security (TLS, [RFC8446]) is used to establish 677 confidential communication through a shared firewall proxy. 679 The above categories for intermediary only consider those acting as 680 participants in the HTTP communication. There are also 681 intermediaries that can act on lower layers of the network protocol 682 stack, filtering or redirecting HTTP traffic without the knowledge or 683 permission of message senders. Network intermediaries are 684 indistinguishable (at a protocol level) from a man-in-the-middle 685 attack, often introducing security flaws or interoperability problems 686 due to mistakenly violating HTTP semantics. 688 For example, an "interception proxy" [RFC3040] (also commonly known 689 as a "transparent proxy" [RFC1919] or "captive portal") differs from 690 an HTTP proxy because it is not selected by the client. Instead, an 691 interception proxy filters or redirects outgoing TCP port 80 packets 692 (and occasionally other common port traffic). Interception proxies 693 are commonly found on public network access points, as a means of 694 enforcing account subscription prior to allowing use of non-local 695 Internet services, and within corporate firewalls to enforce network 696 usage policies. 698 HTTP is defined as a stateless protocol, meaning that each request 699 message can be understood in isolation. Many implementations depend 700 on HTTP's stateless design in order to reuse proxied connections or 701 dynamically load balance requests across multiple servers. Hence, a 702 server MUST NOT assume that two requests on the same connection are 703 from the same user agent unless the connection is secured and 704 specific to that agent. Some non-standard HTTP extensions (e.g., 705 [RFC4559]) have been known to violate this requirement, resulting in 706 security and interoperability problems. 708 2.3. Caches 710 A "cache" is a local store of previous response messages and the 711 subsystem that controls its message storage, retrieval, and deletion. 712 A cache stores cacheable responses in order to reduce the response 713 time and network bandwidth consumption on future, equivalent 714 requests. Any client or server MAY employ a cache, though a cache 715 cannot be used by a server while it is acting as a tunnel. 717 The effect of a cache is that the request/response chain is shortened 718 if one of the participants along the chain has a cached response 719 applicable to that request. The following illustrates the resulting 720 chain if B has a cached copy of an earlier response from O (via C) 721 for a request that has not been cached by UA or A. 723 > > 724 UA =========== A =========== B - - - - - - C - - - - - - O 725 < < 727 A response is "cacheable" if a cache is allowed to store a copy of 728 the response message for use in answering subsequent requests. Even 729 when a response is cacheable, there might be additional constraints 730 placed by the client or by the origin server on when that cached 731 response can be used for a particular request. HTTP requirements for 732 cache behavior and cacheable responses are defined in Section 2 of 733 [Caching]. 735 There is a wide variety of architectures and configurations of caches 736 deployed across the World Wide Web and inside large organizations. 737 These include national hierarchies of proxy caches to save 738 transoceanic bandwidth, collaborative systems that broadcast or 739 multicast cache entries, archives of pre-fetched cache entries for 740 use in off-line or high-latency environments, and so on. 742 2.4. Uniform Resource Identifiers 744 Uniform Resource Identifiers (URIs) [RFC3986] are used throughout 745 HTTP as the means for identifying resources (Section 2.5). URI 746 references are used to target requests, indicate redirects, and 747 define relationships. 749 The definitions of "URI-reference", "absolute-URI", "relative-part", 750 "authority", "port", "host", "path-abempty", "segment", and "query" 751 are adopted from the URI generic syntax. An "absolute-path" rule is 752 defined for protocol elements that can contain a non-empty path 753 component. (This rule differs slightly from the path-abempty rule of 754 RFC 3986, which allows for an empty path to be used in references, 755 and path-absolute rule, which does not allow paths that begin with 756 "//".) A "partial-URI" rule is defined for protocol elements that 757 can contain a relative URI but not a fragment component. 759 URI-reference = 760 absolute-URI = 761 relative-part = 762 authority = 763 uri-host = 764 port = 765 path-abempty = 766 segment = 767 query = 769 absolute-path = 1*( "/" segment ) 770 partial-URI = relative-part [ "?" query ] 772 Each protocol element in HTTP that allows a URI reference will 773 indicate in its ABNF production whether the element allows any form 774 of reference (URI-reference), only a URI in absolute form (absolute- 775 URI), only the path and optional query components, or some 776 combination of the above. Unless otherwise indicated, URI references 777 are parsed relative to the target URI (Section 6.1). 779 It is RECOMMENDED that all senders and recipients support, at a 780 minimum, URIs with lengths of 8000 octets in protocol elements. Note 781 that this implies some structures and on-wire representations (for 782 example, the request line in HTTP/1.1) will necessarily be larger in 783 some cases. 785 2.5. Resources 787 The target of an HTTP request is called a "resource". HTTP does not 788 limit the nature of a resource; it merely defines an interface that 789 might be used to interact with resources. Most resources are 790 identified by a Uniform Resource Identifier (URI), as described in 791 Section 2.4. 793 One design goal of HTTP is to separate resource identification from 794 request semantics, which is made possible by vesting the request 795 semantics in the request method (Section 8) and a few request- 796 modifying header fields (Section 9). If there is a conflict between 797 the method semantics and any semantic implied by the URI itself, as 798 described in Section 8.2.1, the method semantics take precedence. 800 IANA maintains the registry of URI Schemes [BCP35] at 801 . Although requests 802 might target any URI scheme, the following schemes are inherent to 803 HTTP servers: 805 +------------+------------------------------------+---------------+ 806 | URI Scheme | Description | Reference | 807 +------------+------------------------------------+---------------+ 808 | http | Hypertext Transfer Protocol | Section 2.5.1 | 809 | https | Hypertext Transfer Protocol Secure | Section 2.5.2 | 810 +------------+------------------------------------+---------------+ 812 Note that the presence of an "http" or "https" URI does not imply 813 that there is always an HTTP server at the identified origin 814 listening for connections. Anyone can mint a URI, whether or not a 815 server exists and whether or not that server currently maps that 816 identifier to a resource. The delegated nature of registered names 817 and IP addresses creates a federated namespace whether or not an HTTP 818 server is present. 820 2.5.1. http URI Scheme 822 The "http" URI scheme is hereby defined for minting identifiers 823 within the hierarchical namespace governed by a potential HTTP origin 824 server listening for TCP ([RFC0793]) connections on a given port. 826 http-URI = "http" "://" authority path-abempty [ "?" query ] 828 The origin server for an "http" URI is identified by the authority 829 component, which includes a host identifier and optional port number 830 ([RFC3986], Section 3.2.2). If the port subcomponent is empty or not 831 given, TCP port 80 (the reserved port for WWW services) is the 832 default. The origin determines who has the right to respond 833 authoritatively to requests that target the identified resource, as 834 defined in Section 6.4.1. 836 A sender MUST NOT generate an "http" URI with an empty host 837 identifier. A recipient that processes such a URI reference MUST 838 reject it as invalid. 840 The hierarchical path component and optional query component identify 841 the target resource within that origin server's name space. 843 2.5.2. https URI Scheme 845 The "https" URI scheme is hereby defined for minting identifiers 846 within the hierarchical namespace governed by a potential origin 847 server listening for TCP connections on a given port and capable of 848 establishing a TLS ([RFC8446]) connection that has been secured for 849 HTTP communication. In this context, "secured" specifically means 850 that the server has been authenticated as acting on behalf of the 851 identified authority and all HTTP communication with that server has 852 been protected for confidentiality and integrity through the use of 853 strong encryption. 855 https-URI = "https" "://" authority path-abempty [ "?" query ] 857 The origin server for an "https" URI is identified by the authority 858 component, which includes a host identifier and optional port number 859 ([RFC3986], Section 3.2.2). If the port subcomponent is empty or not 860 given, TCP port 443 (the reserved port for HTTP over TLS) is the 861 default. The origin determines who has the right to respond 862 authoritatively to requests that target the identified resource, as 863 defined in Section 6.4.2. 865 A sender MUST NOT generate an "https" URI with an empty host 866 identifier. A recipient that processes such a URI reference MUST 867 reject it as invalid. 869 The hierarchical path component and optional query component identify 870 the target resource within that origin server's name space. 872 A client MUST ensure that its HTTP requests for an "https" resource 873 are secured, prior to being communicated, and that it only accepts 874 secured responses to those requests. 876 Resources made available via the "https" scheme have no shared 877 identity with the "http" scheme. They are distinct origins with 878 separate namespaces. However, an extension to HTTP that is defined 879 to apply to all origins with the same host, such as the Cookie 880 protocol [RFC6265], can allow information set by one service to 881 impact communication with other services within a matching group of 882 host domains. 884 2.5.3. http and https URI Normalization and Comparison 886 Since the "http" and "https" schemes conform to the URI generic 887 syntax, such URIs are normalized and compared according to the 888 algorithm defined in Section 6 of [RFC3986], using the defaults 889 described above for each scheme. 891 If the port is equal to the default port for a scheme, the normal 892 form is to omit the port subcomponent. When not being used as the 893 target of an OPTIONS request, an empty path component is equivalent 894 to an absolute path of "/", so the normal form is to provide a path 895 of "/" instead. The scheme and host are case-insensitive and 896 normally provided in lowercase; all other components are compared in 897 a case-sensitive manner. Characters other than those in the 898 "reserved" set are equivalent to their percent-encoded octets: the 899 normal form is to not encode them (see Sections 2.1 and 2.2 of 900 [RFC3986]). 902 For example, the following three URIs are equivalent: 904 http://example.com:80/~smith/home.html 905 http://EXAMPLE.com/%7Esmith/home.html 906 http://EXAMPLE.com:/%7esmith/home.html 908 2.5.4. Deprecated userinfo 910 The URI generic syntax for authority also includes a userinfo 911 subcomponent ([RFC3986], Section 3.2.1) for including user 912 authentication information in the URI. In that subcomponent, the use 913 of the format "user:password" is deprecated. 915 Some implementations make use of the userinfo component for internal 916 configuration of authentication information, such as within command 917 invocation options, configuration files, or bookmark lists, even 918 though such usage might expose a user identifier or password. 920 A sender MUST NOT generate the userinfo subcomponent (and its "@" 921 delimiter) when an "http" or "https" URI reference is generated 922 within a message as a target URI or field value. 924 Before making use of an "http" or "https" URI reference received from 925 an untrusted source, a recipient SHOULD parse for userinfo and treat 926 its presence as an error; it is likely being used to obscure the 927 authority for the sake of phishing attacks. 929 2.5.5. Fragment Identifiers on http(s) URI References 931 Fragment identifiers allow for indirect identification of a secondary 932 resource, independent of the URI scheme, as defined in Section 3.5 of 933 [RFC3986]. Some protocol elements that refer to a URI allow 934 inclusion of a fragment, while others do not. They are distinguished 935 by use of the ABNF rule for elements where fragment is allowed; 936 otherwise, a specific rule that excludes fragments is used (see 937 Section 6.1). 939 Note: the fragment identifier component is not part of the actual 940 scheme definition for a URI scheme (see Section 4.3 of [RFC3986]), 941 thus does not appear in the ABNF definitions for the "http" and 942 "https" URI schemes above. 944 3. Conformance 946 3.1. Implementation Diversity 948 When considering the design of HTTP, it is easy to fall into a trap 949 of thinking that all user agents are general-purpose browsers and all 950 origin servers are large public websites. That is not the case in 951 practice. Common HTTP user agents include household appliances, 952 stereos, scales, firmware update scripts, command-line programs, 953 mobile apps, and communication devices in a multitude of shapes and 954 sizes. Likewise, common HTTP origin servers include home automation 955 units, configurable networking components, office machines, 956 autonomous robots, news feeds, traffic cameras, ad selectors, and 957 video-delivery platforms. 959 The term "user agent" does not imply that there is a human user 960 directly interacting with the software agent at the time of a 961 request. In many cases, a user agent is installed or configured to 962 run in the background and save its results for later inspection (or 963 save only a subset of those results that might be interesting or 964 erroneous). Spiders, for example, are typically given a start URI 965 and configured to follow certain behavior while crawling the Web as a 966 hypertext graph. 968 The implementation diversity of HTTP means that not all user agents 969 can make interactive suggestions to their user or provide adequate 970 warning for security or privacy concerns. In the few cases where 971 this specification requires reporting of errors to the user, it is 972 acceptable for such reporting to only be observable in an error 973 console or log file. Likewise, requirements that an automated action 974 be confirmed by the user before proceeding might be met via advance 975 configuration choices, run-time options, or simple avoidance of the 976 unsafe action; confirmation does not imply any specific user 977 interface or interruption of normal processing if the user has 978 already made that choice. 980 3.2. Role-based Requirements 982 This specification targets conformance criteria according to the role 983 of a participant in HTTP communication. Hence, HTTP requirements are 984 placed on senders, recipients, clients, servers, user agents, 985 intermediaries, origin servers, proxies, gateways, or caches, 986 depending on what behavior is being constrained by the requirement. 987 Additional (social) requirements are placed on implementations, 988 resource owners, and protocol element registrations when they apply 989 beyond the scope of a single communication. 991 The verb "generate" is used instead of "send" where a requirement 992 differentiates between creating a protocol element and merely 993 forwarding a received element downstream. 995 An implementation is considered conformant if it complies with all of 996 the requirements associated with the roles it partakes in HTTP. 998 Conformance includes both the syntax and semantics of protocol 999 elements. A sender MUST NOT generate protocol elements that convey a 1000 meaning that is known by that sender to be false. A sender MUST NOT 1001 generate protocol elements that do not match the grammar defined by 1002 the corresponding ABNF rules. Within a given message, a sender MUST 1003 NOT generate protocol elements or syntax alternatives that are only 1004 allowed to be generated by participants in other roles (i.e., a role 1005 that the sender does not have for that message). 1007 3.3. Parsing Elements 1009 When a received protocol element is parsed, the recipient MUST be 1010 able to parse any value of reasonable length that is applicable to 1011 the recipient's role and that matches the grammar defined by the 1012 corresponding ABNF rules. Note, however, that some received protocol 1013 elements might not be parsed. For example, an intermediary 1014 forwarding a message might parse a field into generic field name and 1015 field value components, but then forward the field without further 1016 parsing inside the field value. 1018 HTTP does not have specific length limitations for many of its 1019 protocol elements because the lengths that might be appropriate will 1020 vary widely, depending on the deployment context and purpose of the 1021 implementation. Hence, interoperability between senders and 1022 recipients depends on shared expectations regarding what is a 1023 reasonable length for each protocol element. Furthermore, what is 1024 commonly understood to be a reasonable length for some protocol 1025 elements has changed over the course of the past two decades of HTTP 1026 use and is expected to continue changing in the future. 1028 At a minimum, a recipient MUST be able to parse and process protocol 1029 element lengths that are at least as long as the values that it 1030 generates for those same protocol elements in other messages. For 1031 example, an origin server that publishes very long URI references to 1032 its own resources needs to be able to parse and process those same 1033 references when received as a target URI. 1035 3.4. Error Handling 1037 A recipient MUST interpret a received protocol element according to 1038 the semantics defined for it by this specification, including 1039 extensions to this specification, unless the recipient has determined 1040 (through experience or configuration) that the sender incorrectly 1041 implements what is implied by those semantics. For example, an 1042 origin server might disregard the contents of a received Accept- 1043 Encoding header field if inspection of the User-Agent header field 1044 indicates a specific implementation version that is known to fail on 1045 receipt of certain content codings. 1047 Unless noted otherwise, a recipient MAY attempt to recover a usable 1048 protocol element from an invalid construct. HTTP does not define 1049 specific error handling mechanisms except when they have a direct 1050 impact on security, since different applications of the protocol 1051 require different error handling strategies. For example, a Web 1052 browser might wish to transparently recover from a response where the 1053 Location header field doesn't parse according to the ABNF, whereas a 1054 systems control client might consider any form of error recovery to 1055 be dangerous. 1057 Some requests can be automatically retried by a client in the event 1058 of an underlying connection failure, as described in Section 8.2.2. 1060 4. Extending and Versioning HTTP 1062 While HTTP's core semantics don't change between protocol versions, 1063 the expression of them "on the wire" can change, and so the HTTP 1064 version number changes when incompatible changes are made to the wire 1065 format. Additionally, HTTP allows incremental, backwards-compatible 1066 changes to be made to the protocol without changing its version 1067 through the use of defined extension points. 1069 4.1. Extending HTTP 1071 HTTP defines a number of generic extension points that can be used to 1072 introduce capabilities to the protocol without introducing a new 1073 version, including methods (Section 8.4), status codes 1074 (Section 10.7), header and trailer fields (Section 5.7), and further 1075 extensibility points within defined fields (such as Cache-Control in 1076 Section 5.2.3 of [Caching]). Because the semantics of HTTP are not 1077 versioned, these extension points are persistent; the version of the 1078 protocol in use does not affect their semantics. 1080 Version-independent extensions are discouraged from depending on or 1081 interacting with the specific version of the protocol in use. When 1082 this is unavoidable, careful consideration needs to be given to how 1083 the extension can interoperate across versions. 1085 Additionally, specific versions of HTTP might have their own 1086 extensibility points, such as transfer-codings in HTTP/1.1 1087 (Section 6.1 of [Messaging]) and HTTP/2 ([RFC7540]) SETTINGS or frame 1088 types. These extension points are specific to the version of the 1089 protocol they occur within. 1091 Version-specific extensions cannot override or modify the semantics 1092 of a version-independent mechanism or extension point (like a method 1093 or header field) without explicitly being allowed by that protocol 1094 element. For example, the CONNECT method (Section 8.3.6) allows 1095 this. 1097 These guidelines assure that the protocol operates correctly and 1098 predictably, even when parts of the path implement different versions 1099 of HTTP. 1101 4.2. Protocol Versioning 1103 The HTTP version number consists of two decimal digits separated by a 1104 "." (period or decimal point). The first digit ("major version") 1105 indicates the HTTP messaging syntax, whereas the second digit ("minor 1106 version") indicates the highest minor version within that major 1107 version to which the sender is conformant and able to understand for 1108 future communication. 1110 The protocol version as a whole indicates the sender's conformance 1111 with the set of requirements laid out in that version's corresponding 1112 specification of HTTP. For example, the version "HTTP/1.1" is 1113 defined by the combined specifications of this document, "HTTP 1114 Caching" [Caching], and "HTTP/1.1 Messaging" [Messaging]. 1116 The minor version advertises the sender's communication capabilities 1117 even when the sender is only using a backwards-compatible subset of 1118 the protocol, thereby letting the recipient know that more advanced 1119 features can be used in response (by servers) or in future requests 1120 (by clients). 1122 A client SHOULD send a request version equal to the highest version 1123 to which the client is conformant and whose major version is no 1124 higher than the highest version supported by the server, if this is 1125 known. A client MUST NOT send a version to which it is not 1126 conformant. 1128 A client MAY send a lower request version if it is known that the 1129 server incorrectly implements the HTTP specification, but only after 1130 the client has attempted at least one normal request and determined 1131 from the response status code or header fields (e.g., Server) that 1132 the server improperly handles higher request versions. 1134 A server SHOULD send a response version equal to the highest version 1135 to which the server is conformant that has a major version less than 1136 or equal to the one received in the request. A server MUST NOT send 1137 a version to which it is not conformant. A server can send a 505 1138 (HTTP Version Not Supported) response if it wishes, for any reason, 1139 to refuse service of the client's major protocol version. 1141 HTTP's major version number is incremented when an incompatible 1142 message syntax is introduced. The minor number is incremented when 1143 changes made to the protocol have the effect of adding to the message 1144 semantics or implying additional capabilities of the sender. 1146 When an HTTP message is received with a major version number that the 1147 recipient implements, but a higher minor version number than what the 1148 recipient implements, the recipient SHOULD process the message as if 1149 it were in the highest minor version within that major version to 1150 which the recipient is conformant. A recipient can assume that a 1151 message with a higher minor version, when sent to a recipient that 1152 has not yet indicated support for that higher version, is 1153 sufficiently backwards-compatible to be safely processed by any 1154 implementation of the same major version. 1156 When a major version of HTTP does not define any minor versions, the 1157 minor version "0" is implied and is used when referring to that 1158 protocol within a protocol element that requires sending a minor 1159 version. 1161 5. Header and Trailer Fields 1163 HTTP messages use key/value pairs to convey data about the message, 1164 its payload, the target resource, or the connection (i.e., control 1165 data). They are called "HTTP fields" or just "fields". 1167 Every message can have two separate areas that such fields can occur 1168 within; the "header field section" (or just "header section") 1169 preceding the message body and containing "header fields" (or just 1170 "headers", colloquially) and the "trailer field section" (or just 1171 "trailer section") after the message body containing "trailer fields" 1172 (or just "trailers" colloquially). Header fields are more common; 1173 see Section 5.6 for discussion of the applicability and limitations 1174 of trailer fields. 1176 Both sections are composed of any number of "field lines", each with 1177 a "field name" (see Section 5.3) identifying the field, and a "field 1178 line value" that conveys data for the field. 1180 Each field name present in a section has a corresponding "field 1181 value" for that section, composed from all field line values with 1182 that given field name in that section, concatenated together and 1183 separated with commas. See Section 5.1 for further discussion of the 1184 semantics of field ordering and combination in messages, and 1185 Section 5.4 for more discussion of field values. 1187 For example, this section: 1189 Example-Field: Foo, Bar 1190 Example-Field: Baz 1192 contains two field lines, both with the field name "Example-Field". 1193 The first field line has a field line value of "Foo, Bar", while the 1194 second field line value is "Baz". The field value for "Example- 1195 Field" is a list with three members: "Foo", "Bar", and "Baz". 1197 The interpretation of a field does not change between minor versions 1198 of the same major HTTP version, though the default behavior of a 1199 recipient in the absence of such a field can change. Unless 1200 specified otherwise, fields are defined for all versions of HTTP. In 1201 particular, the Host and Connection fields ought to be implemented by 1202 all HTTP/1.x implementations whether or not they advertise 1203 conformance with HTTP/1.1. 1205 New fields can be introduced without changing the protocol version if 1206 their defined semantics allow them to be safely ignored by recipients 1207 that do not recognize them; see Section 5.3.1. 1209 5.1. Field Ordering and Combination 1211 The order in which field lines with differing names are received in a 1212 message is not significant. However, it is good practice to send 1213 header fields that contain control data first, such as Host on 1214 requests and Date on responses, so that implementations can decide 1215 when not to handle a message as early as possible. A server MUST NOT 1216 apply a request to the target resource until the entire request 1217 header section is received, since later header field lines might 1218 include conditionals, authentication credentials, or deliberately 1219 misleading duplicate header fields that would impact request 1220 processing. 1222 A recipient MAY combine multiple field lines with the same field name 1223 into one field line, without changing the semantics of the message, 1224 by appending each subsequent field line value to the initial field 1225 line value in order, separated by a comma and OWS (optional 1226 whitespace). For consistency, use comma SP. 1228 The order in which field lines with the same name are received is 1229 therefore significant to the interpretation of the field value; a 1230 proxy MUST NOT change the order of these field line values when 1231 forwarding a message. 1233 This means that, aside from the well-known exception noted below, a 1234 sender MUST NOT generate multiple field lines with the same name in a 1235 message (whether in the headers or trailers), or append a field line 1236 when a field line of the same name already exists in the message, 1237 unless that field's definition allows multiple field line values to 1238 be recombined as a comma-separated list [i.e., at least one 1239 alternative of the field's definition allows a comma-separated list, 1240 such as an ABNF rule of #(values) defined in Section 5.5]. 1242 Note: In practice, the "Set-Cookie" header field ([RFC6265]) often 1243 appears in a response message across multiple field lines and does 1244 not use the list syntax, violating the above requirements on 1245 multiple field lines with the same field name. Since it cannot be 1246 combined into a single field value, recipients ought to handle 1247 "Set-Cookie" as a special case while processing fields. (See 1248 Appendix A.2.3 of [Kri2001] for details.) 1250 5.2. Field Limits 1252 HTTP does not place a predefined limit on the length of each field 1253 line, field value, or on the length of the header or trailer section 1254 as a whole, as described in Section 3. Various ad hoc limitations on 1255 individual lengths are found in practice, often depending on the 1256 specific field's semantics. 1258 A server that receives a request header field line, field value, or 1259 set of fields larger than it wishes to process MUST respond with an 1260 appropriate 4xx (Client Error) status code. Ignoring such header 1261 fields would increase the server's vulnerability to request smuggling 1262 attacks (Section 11.2 of [Messaging]). 1264 A client MAY discard or truncate received field lines that are larger 1265 than the client wishes to process if the field semantics are such 1266 that the dropped value(s) can be safely ignored without changing the 1267 message framing or response semantics. 1269 5.3. Field Names 1271 The field-name token labels the corresponding field value as having 1272 the semantics defined by that field. For example, the Date header 1273 field is defined in Section 11.1.1 as containing the origination 1274 timestamp for the message in which it appears. 1276 field-name = token 1278 Field names are case-insensitive and ought to be registered within 1279 the "Hypertext Transfer Protocol (HTTP) Field Name Registry"; see 1280 Section 5.3.2. 1282 Authors of specifications defining new fields are advised to choose a 1283 short but descriptive field name. Short names avoid needless data 1284 transmission; descriptive names avoid confusion and "squatting" on 1285 names that might have broader uses. 1287 To that end, limited-use fields (such as a header confined to a 1288 single application or use case) are encouraged to use a name that 1289 includes its name (or an abbreviation) as a prefix; for example, if 1290 the Foo Application needs a Description field, it might use "Foo- 1291 Desc"; "Description" is too generic, and "Foo-Description" is 1292 needlessly long. 1294 While the field-name syntax is defined to allow any token character, 1295 in practice some implementations place limits on the characters they 1296 accept in field-names. To be interoperable, new field names SHOULD 1297 constrain themselves to alphanumeric characters, "-", and ".", and 1298 SHOULD begin with an alphanumeric character. 1300 Field names ought not be prefixed with "X-"; see [BCP178] for further 1301 information. 1303 Other prefixes are sometimes used in HTTP field names; for example, 1304 "Accept-" is used in many content negotiation headers. These 1305 prefixes are only an aid to recognizing the purpose of a field, and 1306 do not trigger automatic processing. 1308 5.3.1. Field Extensibility 1310 There is no limit on the introduction of new field names, each 1311 presumably defining new semantics. 1313 New fields can be defined such that, when they are understood by a 1314 recipient, they might override or enhance the interpretation of 1315 previously defined fields, define preconditions on request 1316 evaluation, or refine the meaning of responses. 1318 A proxy MUST forward unrecognized header fields unless the field name 1319 is listed in the Connection header field (Section 9.1 of [Messaging]) 1320 or the proxy is specifically configured to block, or otherwise 1321 transform, such fields. Other recipients SHOULD ignore unrecognized 1322 header and trailer fields. These requirements allow HTTP's 1323 functionality to be enhanced without requiring prior update of 1324 deployed intermediaries. 1326 5.3.2. Field Name Registry 1328 The "Hypertext Transfer Protocol (HTTP) Field Name Registry" defines 1329 the namespace for HTTP field names. 1331 Any party can request registration of a HTTP field. See Section 5.7 1332 for considerations to take into account when creating a new HTTP 1333 field. 1335 The "Hypertext Transfer Protocol (HTTP) Field Name Registry" is 1336 located at . 1337 Registration requests can be made by following the instructions 1338 located there or by sending an email to the "ietf-http-wg@ietf.org" 1339 mailing list. 1341 Field names are registered on the advice of a Designated Expert 1342 (appointed by the IESG or their delegate). Fields with the status 1343 'permanent' are Specification Required ([RFC8126], Section 4.6). 1345 Registration requests consist of at least the following information: 1347 Field name: 1348 The requested field name. It MUST conform to the field-name 1349 syntax defined in Section 5.3, and SHOULD be restricted to just 1350 letters, digits, hyphen ('-') and underscore ('_') characters, 1351 with the first character being a letter. 1353 Status: 1354 "permanent" or "provisional". 1356 Specification document(s): 1357 Reference to the document that specifies the field, preferably 1358 including a URI that can be used to retrieve a copy of the 1359 document. An indication of the relevant section(s) can also be 1360 included, but is not required. 1362 And, optionally: 1364 Comments: Additional information, such as about reserved entries. 1366 The Expert(s) can define additional fields to be collected in the 1367 registry, in consultation with the community. 1369 Standards-defined names have a status of "permanent". Other names 1370 can also be registered as permanent, if the Expert(s) find that they 1371 are in use, in consultation with the community. Other names should 1372 be registered as "provisional". 1374 Provisional entries can be removed by the Expert(s) if -- in 1375 consultation with the community -- the Expert(s) find that they are 1376 not in use. The Experts can change a provisional entry's status to 1377 permanent at any time. 1379 Note that names can be registered by third parties (including the 1380 Expert(s)), if the Expert(s) determines that an unregistered name is 1381 widely deployed and not likely to be registered in a timely manner 1382 otherwise. 1384 5.4. Field Values 1386 HTTP field values typically have their syntax defined using ABNF 1387 ([RFC5234]), using the extension defined in Section 5.5 as necessary, 1388 and are usually constrained to the range of US-ASCII characters. 1389 Fields needing a greater range of characters can use an encoding such 1390 as the one defined in [RFC8187]. 1392 field-value = *field-content 1393 field-content = field-vchar 1394 [ 1*( SP / HTAB / field-vchar ) field-vchar ] 1395 field-vchar = VCHAR / obs-text 1397 Historically, HTTP allowed field content with text in the ISO-8859-1 1398 charset [ISO-8859-1], supporting other charsets only through use of 1399 [RFC2047] encoding. In practice, most HTTP field values use only a 1400 subset of the US-ASCII charset [USASCII]. Newly defined fields 1401 SHOULD limit their values to US-ASCII octets. A recipient SHOULD 1402 treat other octets in field content (obs-text) as opaque data. 1404 Field values containing control (CTL) characters such as CR or LF are 1405 invalid; recipients MUST either reject a field value containing 1406 control characters, or convert them to SP before processing or 1407 forwarding the message. 1409 Leading and trailing whitespace in raw field values is removed upon 1410 field parsing (Section 5.1 of [Messaging]). Field definitions where 1411 leading or trailing whitespace in values is significant will have to 1412 use a container syntax such as quoted-string (Section 5.4.1.2). 1414 Because commas (",") are used as a generic delimiter between members 1415 of a list-based field value, they need to be treated with care if 1416 they are allowed as data within those members. Typically, list 1417 members that might contain a comma are enclosed in a quoted-string. 1419 For example, a textual date and a URI (either of which might contain 1420 a comma) could be safely carried in list-based field values like 1421 these: 1423 Example-URI-Field: "http://example.com/a.html,foo", 1424 "http://without-a-comma.example.com/" 1425 Example-Date-Field: "Sat, 04 May 1996", "Wed, 14 Sep 2005" 1427 Note that double-quote delimiters almost always are used with the 1428 quoted-string production; using a different syntax inside double- 1429 quotes will likely cause unnecessary confusion. 1431 Many fields (such as Content-Type, defined in Section 7.2.1) use a 1432 common syntax for parameters that allows both unquoted (token) and 1433 quoted (quoted-string) syntax for a parameter value 1434 (Section 5.4.1.4). Use of common syntax allows recipients to reuse 1435 existing parser components. When allowing both forms, the meaning of 1436 a parameter value ought to be the same whether it was received as a 1437 token or a quoted string. 1439 Historically, HTTP field values could be extended over multiple lines 1440 by preceding each extra line with at least one space or horizontal 1441 tab (obs-fold). This document assumes that any such obsolete line 1442 folding has been replaced with one or more SP octets prior to 1443 interpreting the field value, as described in Section 5.2 of 1444 [Messaging]. 1446 Note: This specification does not use ABNF rules to define each 1447 "Field Name: Field Value" pair, as was done in earlier editions 1448 (published before [RFC7230]). Instead, ABNF rules are named 1449 according to each registered field name, wherein the rule defines 1450 the valid grammar for that field's corresponding field values 1451 (i.e., after the field value has been extracted by a generic field 1452 parser). 1454 5.4.1. Common Field Value Components 1456 Many HTTP field values are defined using common syntax components, 1457 separated by whitespace or specific delimiting characters. 1458 Delimiters are chosen from the set of US-ASCII visual characters not 1459 allowed in a token (DQUOTE and "(),/:;<=>?@[\]{}"). 1461 5.4.1.1. Tokens 1463 Tokens are short textual identifiers that do not include whitespace 1464 or delimiters. 1466 token = 1*tchar 1468 tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" 1469 / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" 1470 / DIGIT / ALPHA 1471 ; any VCHAR, except delimiters 1473 5.4.1.2. Quoted Strings 1475 A string of text is parsed as a single value if it is quoted using 1476 double-quote marks. 1478 quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE 1479 qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text 1480 obs-text = %x80-FF 1482 The backslash octet ("\") can be used as a single-octet quoting 1483 mechanism within quoted-string and comment constructs. Recipients 1484 that process the value of a quoted-string MUST handle a quoted-pair 1485 as if it were replaced by the octet following the backslash. 1487 quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) 1489 A sender SHOULD NOT generate a quoted-pair in a quoted-string except 1490 where necessary to quote DQUOTE and backslash octets occurring within 1491 that string. A sender SHOULD NOT generate a quoted-pair in a comment 1492 except where necessary to quote parentheses ["(" and ")"] and 1493 backslash octets occurring within that comment. 1495 5.4.1.3. Comments 1497 Comments can be included in some HTTP fields by surrounding the 1498 comment text with parentheses. Comments are only allowed in fields 1499 containing "comment" as part of their field value definition. 1501 comment = "(" *( ctext / quoted-pair / comment ) ")" 1502 ctext = HTAB / SP / %x21-27 / %x2A-5B / %x5D-7E / obs-text 1504 5.4.1.4. Parameters 1506 A parameter is a name=value pair that is often defined within field 1507 values as a common syntax for appending auxiliary information to an 1508 item. Each parameter is usually delimited by an immediately 1509 preceding semicolon. 1511 parameter = parameter-name "=" parameter-value 1512 parameter-name = token 1513 parameter-value = ( token / quoted-string ) 1515 Parameter names are case-insensitive. Parameter values might or 1516 might not be case-sensitive, depending on the semantics of the 1517 parameter name. Examples of parameters and some equivalent forms can 1518 be seen in media types (Section 7.1.1) and the Accept header field 1519 (Section 9.4.1). 1521 A parameter value that matches the token production can be 1522 transmitted either as a token or within a quoted-string. The quoted 1523 and unquoted values are equivalent. 1525 Note: Parameters do not allow whitespace (not even "bad" 1526 whitespace) around the "=" character. 1528 5.4.1.5. Date/Time Formats 1530 Prior to 1995, there were three different formats commonly used by 1531 servers to communicate timestamps. For compatibility with old 1532 implementations, all three are defined here. The preferred format is 1533 a fixed-length and single-zone subset of the date and time 1534 specification used by the Internet Message Format [RFC5322]. 1536 HTTP-date = IMF-fixdate / obs-date 1538 An example of the preferred format is 1540 Sun, 06 Nov 1994 08:49:37 GMT ; IMF-fixdate 1542 Examples of the two obsolete formats are 1544 Sunday, 06-Nov-94 08:49:37 GMT ; obsolete RFC 850 format 1545 Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format 1547 A recipient that parses a timestamp value in an HTTP field MUST 1548 accept all three HTTP-date formats. When a sender generates a field 1549 that contains one or more timestamps defined as HTTP-date, the sender 1550 MUST generate those timestamps in the IMF-fixdate format. 1552 An HTTP-date value represents time as an instance of Coordinated 1553 Universal Time (UTC). The first two formats indicate UTC by the 1554 three-letter abbreviation for Greenwich Mean Time, "GMT", a 1555 predecessor of the UTC name; values in the asctime format are assumed 1556 to be in UTC. A sender that generates HTTP-date values from a local 1557 clock ought to use NTP ([RFC5905]) or some similar protocol to 1558 synchronize its clock to UTC. 1560 Preferred format: 1562 IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT 1563 ; fixed length/zone/capitalization subset of the format 1564 ; see Section 3.3 of [RFC5322] 1566 day-name = %s"Mon" / %s"Tue" / %s"Wed" 1567 / %s"Thu" / %s"Fri" / %s"Sat" / %s"Sun" 1569 date1 = day SP month SP year 1570 ; e.g., 02 Jun 1982 1572 day = 2DIGIT 1573 month = %s"Jan" / %s"Feb" / %s"Mar" / %s"Apr" 1574 / %s"May" / %s"Jun" / %s"Jul" / %s"Aug" 1575 / %s"Sep" / %s"Oct" / %s"Nov" / %s"Dec" 1576 year = 4DIGIT 1578 GMT = %s"GMT" 1580 time-of-day = hour ":" minute ":" second 1581 ; 00:00:00 - 23:59:60 (leap second) 1583 hour = 2DIGIT 1584 minute = 2DIGIT 1585 second = 2DIGIT 1587 Obsolete formats: 1589 obs-date = rfc850-date / asctime-date 1591 rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT 1592 date2 = day "-" month "-" 2DIGIT 1593 ; e.g., 02-Jun-82 1595 day-name-l = %s"Monday" / %s"Tuesday" / %s"Wednesday" 1596 / %s"Thursday" / %s"Friday" / %s"Saturday" / %s"Sunday" 1598 asctime-date = day-name SP date3 SP time-of-day SP year 1599 date3 = month SP ( 2DIGIT / ( SP 1DIGIT )) 1600 ; e.g., Jun 2 1602 HTTP-date is case sensitive. A sender MUST NOT generate additional 1603 whitespace in an HTTP-date beyond that specifically included as SP in 1604 the grammar. The semantics of day-name, day, month, year, and time- 1605 of-day are the same as those defined for the Internet Message Format 1606 constructs with the corresponding name ([RFC5322], Section 3.3). 1608 Recipients of a timestamp value in rfc850-date format, which uses a 1609 two-digit year, MUST interpret a timestamp that appears to be more 1610 than 50 years in the future as representing the most recent year in 1611 the past that had the same last two digits. 1613 Recipients of timestamp values are encouraged to be robust in parsing 1614 timestamps unless otherwise restricted by the field definition. For 1615 example, messages are occasionally forwarded over HTTP from a non- 1616 HTTP source that might generate any of the date and time 1617 specifications defined by the Internet Message Format. 1619 Note: HTTP requirements for the date/time stamp format apply only 1620 to their usage within the protocol stream. Implementations are 1621 not required to use these formats for user presentation, request 1622 logging, etc. 1624 5.5. ABNF List Extension: #rule 1626 A #rule extension to the ABNF rules of [RFC5234] is used to improve 1627 readability in the definitions of some list-based field values. 1629 A construct "#" is defined, similar to "*", for defining comma- 1630 delimited lists of elements. The full form is "#element" 1631 indicating at least and at most elements, each separated by a 1632 single comma (",") and optional whitespace (OWS). 1634 5.5.1. Sender Requirements 1636 In any production that uses the list construct, a sender MUST NOT 1637 generate empty list elements. In other words, a sender MUST generate 1638 lists that satisfy the following syntax: 1640 1#element => element *( OWS "," OWS element ) 1642 and: 1644 #element => [ 1#element ] 1646 and for n >= 1 and m > 1: 1648 #element => element *( OWS "," OWS element ) 1650 Appendix A shows the collected ABNF for senders after the list 1651 constructs have been expanded. 1653 5.5.2. Recipient Requirements 1655 Empty elements do not contribute to the count of elements present. A 1656 recipient MUST parse and ignore a reasonable number of empty list 1657 elements: enough to handle common mistakes by senders that merge 1658 values, but not so much that they could be used as a denial-of- 1659 service mechanism. In other words, a recipient MUST accept lists 1660 that satisfy the following syntax: 1662 #element => [ element ] *( OWS "," OWS [ element ] ) 1664 Note that because of the potential presence of empty list elements, 1665 the RFC 5234 ABNF cannot enforce the cardinality of list elements, 1666 and consequently all cases are mapped is if there was no cardinality 1667 specified. 1669 For example, given these ABNF productions: 1671 example-list = 1#example-list-elmt 1672 example-list-elmt = token ; see Section 5.4.1.1 1674 Then the following are valid values for example-list (not including 1675 the double quotes, which are present for delimitation only): 1677 "foo,bar" 1678 "foo ,bar," 1679 "foo , ,bar,charlie" 1681 In contrast, the following values would be invalid, since at least 1682 one non-empty element is required by the example-list production: 1684 "" 1685 "," 1686 ", ," 1688 5.6. Trailer Fields 1690 5.6.1. Purpose 1692 In some HTTP versions, additional metadata can be sent after the 1693 initial header section has been completed (during or after 1694 transmission of the payload body), such as a message integrity check, 1695 digital signature, or post-processing status. For example, the 1696 chunked coding in HTTP/1.1 allows a trailer section after the payload 1697 body (Section 7.1.2 of [Messaging]) which can contain trailer fields: 1698 field names and values that share the same syntax and namespace as 1699 header fields but that are received after the header section. 1701 Trailer fields ought to be processed and stored separately from the 1702 fields in the header section to avoid contradicting message semantics 1703 known at the time the header section was complete. The presence or 1704 absence of certain header fields might impact choices made for the 1705 routing or processing of the message as a whole before the trailers 1706 are received; those choices cannot be unmade by the later discovery 1707 of trailer fields. 1709 5.6.2. Limitations 1711 Many fields cannot be processed outside the header section because 1712 their evaluation is necessary prior to receiving the message body, 1713 such as those that describe message framing, routing, authentication, 1714 request modifiers, response controls, or payload format. A sender 1715 MUST NOT generate a trailer field unless the sender knows the 1716 corresponding header field name's definition permits the field to be 1717 sent in trailers. 1719 Trailer fields can be difficult to process by intermediaries that 1720 forward messages from one protocol version to another. If the entire 1721 message can be buffered in transit, some intermediaries could merge 1722 trailer fields into the header section (as appropriate) before it is 1723 forwarded. However, in most cases, the trailers are simply 1724 discarded. A recipient MUST NOT merge a trailer field into a header 1725 section unless the recipient understands the corresponding header 1726 field definition and that definition explicitly permits and defines 1727 how trailer field values can be safely merged. 1729 The presence of the keyword "trailers" in the TE header field 1730 (Section 7.4 of [Messaging]) indicates that the client is willing to 1731 accept trailer fields, on behalf of itself and any downstream 1732 clients. For requests from an intermediary, this implies that all 1733 downstream clients are willing to accept trailer fields in the 1734 forwarded response. Note that the presence of "trailers" does not 1735 mean that the client(s) will process any particular trailer field in 1736 the response; only that the trailer section as a whole will not be 1737 dropped by any of the clients. 1739 Because of the potential for trailer fields to be discarded in 1740 transit, a server SHOULD NOT generate trailer fields that it believes 1741 are necessary for the user agent to receive. 1743 5.6.3. Trailer 1745 The "Trailer" header field provides a list of field names that the 1746 sender anticipates sending as trailer fields within that message. 1747 This allows a recipient to prepare for receipt of the indicated 1748 metadata before it starts processing the body. 1750 Trailer = 1#field-name 1752 For example, a sender might indicate that a message integrity check 1753 will be computed as the payload is being streamed and provide the 1754 final signature as a trailer field. This allows a recipient to 1755 perform the same check on the fly as the payload data is received. 1757 A sender that intends to generate one or more trailer fields in a 1758 message SHOULD generate a Trailer header field in the header section 1759 of that message to indicate which fields might be present in the 1760 trailers. 1762 5.7. Considerations for New HTTP Fields 1764 See Section 5.3 for a general requirements for field names, and 1765 Section 5.4 for a discussion of field values. 1767 Authors of specifications defining new fields are advised to consider 1768 documenting: 1770 o Whether the field is a single value or whether it can be a list 1771 (delimited by commas; see Section 5.4). 1773 If it is not a list, document how to treat messages where the 1774 field occurs multiple times (a sensible default would be to ignore 1775 the field, but this might not always be the right choice). 1777 Note that intermediaries and software libraries might combine 1778 multiple field instances into a single one, despite the field's 1779 definition not allowing the list syntax. A robust format enables 1780 recipients to discover these situations (good example: "Content- 1781 Type", as the comma can only appear inside quoted strings; bad 1782 example: "Location", as a comma can occur inside a URI). 1784 o Under what conditions the field can be used; e.g., only in 1785 responses or requests, in all messages, only on responses to a 1786 particular request method, etc. 1788 o What the scope of applicability for the information conveyed in 1789 the field is. By default, fields apply only to the message they 1790 are associated with, but some response fields are designed to 1791 apply to all representations of a resource, the resource itself, 1792 or an even broader scope. Specifications that expand the scope of 1793 a response field will need to carefully consider issues such as 1794 content negotiation, the time period of applicability, and (in 1795 some cases) multi-tenant server deployments. 1797 o Whether the field should be stored by origin servers that 1798 understand it upon a PUT request. 1800 o Whether the field semantics are further refined by the context, 1801 such as by existing request methods or status codes. 1803 o Whether it is appropriate to list the field name in the Connection 1804 header field (i.e., if the field is to be hop-by-hop; see 1805 Section 9.1 of [Messaging]). 1807 o Under what conditions intermediaries are allowed to insert, 1808 delete, or modify the field's value. 1810 o Whether it is appropriate to list the field name in a Vary 1811 response header field (e.g., when the request header field is used 1812 by an origin server's content selection algorithm; see 1813 Section 11.1.4). 1815 o Whether the field is allowable in trailers (see Section 5.6). 1817 o Whether the field ought to be preserved across redirects. 1819 o Whether it introduces any additional security considerations, such 1820 as disclosure of privacy-related data. 1822 5.8. Fields Defined In This Document 1824 The following fields are defined by this document: 1826 +---------------------------+------------+-----------------+ 1827 | Field Name | Status | Reference | 1828 +---------------------------+------------+-----------------+ 1829 | Accept | standard | Section 9.4.1 | 1830 | Accept-Charset | deprecated | Section 9.4.2 | 1831 | Accept-Encoding | standard | Section 9.4.3 | 1832 | Accept-Language | standard | Section 9.4.4 | 1833 | Accept-Ranges | standard | Section 11.4.1 | 1834 | Allow | standard | Section 11.4.2 | 1835 | Authentication-Info | standard | Section 11.3.3 | 1836 | Authorization | standard | Section 9.5.3 | 1837 | Content-Encoding | standard | Section 7.2.2 | 1838 | Content-Language | standard | Section 7.2.3 | 1839 | Content-Length | standard | Section 7.2.4 | 1840 | Content-Location | standard | Section 7.2.5 | 1841 | Content-Range | standard | Section 7.3.4 | 1842 | Content-Type | standard | Section 7.2.1 | 1843 | Date | standard | Section 11.1.1 | 1844 | ETag | standard | Section 11.2.3 | 1845 | Expect | standard | Section 9.1.1 | 1846 | From | standard | Section 9.6.1 | 1847 | Host | standard | Section 6.6 | 1848 | If-Match | standard | Section 9.2.3 | 1849 | If-Modified-Since | standard | Section 9.2.5 | 1850 | If-None-Match | standard | Section 9.2.4 | 1851 | If-Range | standard | Section 9.2.7 | 1852 | If-Unmodified-Since | standard | Section 9.2.6 | 1853 | Last-Modified | standard | Section 11.2.2 | 1854 | Location | standard | Section 11.1.2 | 1855 | Max-Forwards | standard | Section 9.1.2 | 1856 | Proxy-Authenticate | standard | Section 11.3.2 | 1857 | Proxy-Authentication-Info | standard | Section 11.3.4 | 1858 | Proxy-Authorization | standard | Section 9.5.4 | 1859 | Range | standard | Section 9.3 | 1860 | Referer | standard | Section 9.6.2 | 1861 | Retry-After | standard | Section 11.1.3 | 1862 | Server | standard | Section 11.4.3 | 1863 | Trailer | standard | Section 5.6.3 | 1864 | User-Agent | standard | Section 9.6.3 | 1865 | Vary | standard | Section 11.1.4 | 1866 | Via | standard | Section 6.7.1 | 1867 | WWW-Authenticate | standard | Section 11.3.1 | 1868 +---------------------------+------------+-----------------+ 1870 Table 1 1872 Furthermore, the field name "*" is reserved, since using that name as 1873 an HTTP header field might conflict with its special semantics in the 1874 Vary header field (Section 11.1.4). 1876 +------------+----------+--------------+-------------+ 1877 | Field Name | Status | Reference | Comments | 1878 +------------+----------+--------------+-------------+ 1879 | * | standard | Section 5.8 | (reserved) | 1880 +------------+----------+--------------+-------------+ 1882 6. Message Routing 1884 HTTP request message routing is determined by each client based on 1885 the target resource, the client's proxy configuration, and 1886 establishment or reuse of an inbound connection. The corresponding 1887 response routing follows the same connection chain back to the 1888 client. 1890 6.1. Identifying a Target Resource 1892 HTTP is used in a wide variety of applications, ranging from general- 1893 purpose computers to home appliances. In some cases, communication 1894 options are hard-coded in a client's configuration. However, most 1895 HTTP clients rely on the same resource identification mechanism and 1896 configuration techniques as general-purpose Web browsers. 1898 HTTP communication is initiated by a user agent for some purpose. 1899 The purpose is a combination of request semantics and a target 1900 resource upon which to apply those semantics. The "request target" 1901 is the protocol element that identifies the "target resource". 1903 Typically, the request target is a URI reference (Section 2.4) which 1904 a user agent would resolve to its absolute form in order to obtain 1905 the "target URI". The target URI excludes the reference's fragment 1906 component, if any, since fragment identifiers are reserved for 1907 client-side processing ([RFC3986], Section 3.5). 1909 However, there are two special, method-specific forms allowed for the 1910 request target in specific circumstances: 1912 o For CONNECT (Section 8.3.6), the request target is the host name 1913 and port number of the tunnel destination, separated by a colon. 1915 o For OPTIONS (Section 8.3.7), the request target can be a single 1916 asterisk ("*"). 1918 See the respective method definitions for details. These forms MUST 1919 NOT be used with other methods. 1921 6.2. Determining Origin 1923 The "origin" for a given URI is the triple of scheme, host, and port 1924 after normalizing the scheme and host to lowercase and normalizing 1925 the port to remove any leading zeros. If port is elided from the 1926 URI, the default port for that scheme is used. For example, the URI 1928 https://Example.Com/happy.js 1930 would have the origin 1932 { "https", "example.com", "443" } 1934 which can also be described as the normalized URI prefix with port 1935 always present: 1937 https://example.com:443 1939 Each origin defines its own namespace and controls how identifiers 1940 within that namespace are mapped to resources. In turn, how the 1941 origin responds to valid requests, consistently over time, determines 1942 the semantics that users will associate with a URI, and the 1943 usefulness of those semantics is what ultimately transforms these 1944 mechanisms into a "resource" for users to reference and access in the 1945 future. 1947 Two origins are distinct if they differ in scheme, host, or port. 1948 Even when it can be verified that the same entity controls two 1949 distinct origins, the two namespaces under those origins are distinct 1950 unless explicitly aliased by a server authoritative for that origin. 1952 Origin is also used within HTML and related Web protocols, beyond the 1953 scope of this document, as described in [RFC6454]. 1955 6.3. Routing Inbound 1957 Once the target URI and its origin are determined, a client decides 1958 whether a network request is necessary to accomplish the desired 1959 semantics and, if so, where that request is to be directed. 1961 If the client has a cache [Caching] and the request can be satisfied 1962 by it, then the request is usually directed there first. 1964 If the request is not satisfied by a cache, then a typical client 1965 will check its configuration to determine whether a proxy is to be 1966 used to satisfy the request. Proxy configuration is implementation- 1967 dependent, but is often based on URI prefix matching, selective 1968 authority matching, or both, and the proxy itself is usually 1969 identified by an "http" or "https" URI. If a proxy is applicable, 1970 the client connects inbound by establishing (or reusing) a connection 1971 to that proxy. 1973 If no proxy is applicable, a typical client will invoke a handler 1974 routine, usually specific to the target URI's scheme, to connect 1975 directly to an origin for the target resource. How that is 1976 accomplished is dependent on the target URI scheme and defined by its 1977 associated specification, similar to how this specification defines 1978 origin server access for resolution of the "http" (Section 2.5.1) and 1979 "https" (Section 2.5.2) schemes. 1981 6.4. Direct Authoritative Access 1983 6.4.1. http origins 1985 Although HTTP is independent of the transport protocol, the "http" 1986 scheme is specific to associating authority with whomever controls 1987 the origin server listening for TCP connections on the indicated port 1988 of whatever host is identified within the authority component. This 1989 is a very weak sense of authority because it depends on both client- 1990 specific name resolution mechanisms and communication that might not 1991 be secured from man-in-the-middle attacks. Nevertheless, it is a 1992 sufficient minimum for binding "http" identifiers to an origin server 1993 for consistent resolution within a trusted environment. 1995 If the host identifier is provided as an IP address, the origin 1996 server is the listener (if any) on the indicated TCP port at that IP 1997 address. If host is a registered name, the registered name is an 1998 indirect identifier for use with a name resolution service, such as 1999 DNS, to find an address for an appropriate origin server. 2001 When an "http" URI is used within a context that calls for access to 2002 the indicated resource, a client MAY attempt access by resolving the 2003 host identifier to an IP address, establishing a TCP connection to 2004 that address on the indicated port, and sending an HTTP request 2005 message to the server containing the URI's identifying data 2006 (Section 2 of [Messaging]). 2008 If the server responds to such a request with a non-interim HTTP 2009 response message, as described in Section 10, then that response is 2010 considered an authoritative answer to the client's request. 2012 Note, however, that the above is not the only means for obtaining an 2013 authoritative response, nor does it imply that an authoritative 2014 response is always necessary (see [Caching]). For example, the Alt- 2015 Svc header field [RFC7838] allows an origin server to identify other 2016 services that are also authoritative for that origin. Access to 2017 "http" identified resources might also be provided by protocols 2018 outside the scope of this document. 2020 See Section 12.1 for security considerations related to establishing 2021 authority. 2023 6.4.2. https origins 2025 The "https" scheme associates authority based on the ability of a 2026 server to use a private key associated with a certificate that the 2027 client considers to be trustworthy for the identified host. If a 2028 server presents a certificate that verifiably applies to the host, 2029 along with proof that it controls the corresponding private key, then 2030 a client will accept a secured connection to that server as being 2031 authoritative for all origins with the same scheme and host. 2033 A client is therefore relying upon a chain of trust, conveyed from 2034 some trust anchor (which is usually prearranged or configured), 2035 through a chain of certificates (e.g., [RFC5280]) to a final 2036 certificate that binds a private key to the host name of the origin. 2037 The handshake and certificate validation in Section 6.4.3 describe 2038 how that final certificate can be used to initiate a secured 2039 connection. 2041 Note that the "https" scheme does not rely on TCP and the connected 2042 port number for associating authority, since both are outside the 2043 secured communication and thus cannot be trusted as definitive. 2044 Hence, the HTTP communication might take place over any channel that 2045 has been secured, as defined in Section 2.5.2, including protocols 2046 that don't use TCP. It is the origin's responsibility to ensure that 2047 any services provided with control over its certificate's private key 2048 are equally responsible for managing the corresponding "https" 2049 namespaces, or at least prepared to reject requests that appear to 2050 have been misdirected. Regardless, the origin's host and port value 2051 are passed within each HTTP request, identifying the target resource 2052 and distinguishing it from other namespaces that might be controlled 2053 by the same server. 2055 In HTTP/1.1 and earlier, the only URIs for which a client will 2056 attribute authority to a server are those for which a TLS connection 2057 was specifically established toward the origin's host. Only the 2058 characteristics of the connection establishment and certificate are 2059 used. For a host that is a domain name, the client MUST include that 2060 name in the TLS server_name extension (if used) and MUST verify that 2061 the name also appears as either the CN field of the certificate 2062 subject or as a dNSName in the subjectAltName field of the 2063 certificate (see [RFC6125]). For a host that is an IP address, the 2064 client MUST verify that the address appears in the subjectAltName of 2065 the certificate. 2067 In HTTP/2, a client will associate authority to all names that are 2068 present in the certificate. However, a client will only do that if 2069 it concludes that it could open a connection to the origin for that 2070 URI. In practice, a client will make a DNS query and see that it 2071 contains the same server IP address. A server sending the ORIGIN 2072 frame removes this restriction [RFC8336]. 2074 In addition to the client's verification, an origin server is 2075 responsible for verifying that requests it receives over a connection 2076 correspond to resources for which it actually wants to be the origin. 2077 If a network attacker causes connections for port N to be received at 2078 port Q, checking the target URI is necessary to ensure that the 2079 attacker can't cause "https://example.com:N/foo" to be replaced by 2080 "https://example.com:Q/foo" without consent. Likewise, a server 2081 might be unwilling to serve as the origin for some hosts even when 2082 they have the authority to do so. 2084 When an "https" URI is used within a context that calls for access to 2085 the indicated resource, a client MAY attempt access by resolving the 2086 host identifier to an IP address, establishing a TCP connection to 2087 that address on the indicated port, securing the connection end-to- 2088 end by successfully initiating TLS over TCP with confidentiality and 2089 integrity protection, and sending an HTTP request message to the 2090 server over that secured connection containing the URI's identifying 2091 data (Section 2 of [Messaging]). 2093 If the server responds to such a request with a non-interim HTTP 2094 response message, as described in Section 10, then that response is 2095 considered an authoritative answer to the client's request. 2097 Note, however, that the above is not the only means for obtaining an 2098 authoritative response, nor does it imply that an authoritative 2099 response is always necessary (see [Caching]). 2101 6.4.3. Initiating HTTP Over TLS 2103 Conceptually, HTTP/TLS is very simple. Simply use HTTP over TLS 2104 precisely as you would use HTTP over TCP. 2106 The agent acting as the HTTP client should also act as the TLS 2107 client. It should initiate a connection to the server on the 2108 appropriate port and then send the TLS ClientHello to begin the TLS 2109 handshake. When the TLS handshake has finished. The client may then 2110 initiate the first HTTP request. All HTTP data MUST be sent as TLS 2111 "application data". Normal HTTP behavior, including retained 2112 connections should be followed. 2114 6.4.3.1. Identifying HTTPS Servers 2116 In general, HTTP/TLS requests are generated by dereferencing a URI. 2117 As a consequence, the hostname for the server is known to the client. 2118 If the hostname is available, the client MUST check it against the 2119 server's identity as presented in the server's Certificate message, 2120 in order to prevent man-in-the-middle attacks. 2122 If the client has external information as to the expected identity of 2123 the server, the hostname check MAY be omitted. (For instance, a 2124 client may be connecting to a machine whose address and hostname are 2125 dynamic but the client knows the certificate that the server will 2126 present.) In such cases, it is important to narrow the scope of 2127 acceptable certificates as much as possible in order to prevent man 2128 in the middle attacks. In special cases, it may be appropriate for 2129 the client to simply ignore the server's identity, but it must be 2130 understood that this leaves the connection open to active attack. 2132 If a subjectAltName extension of type dNSName is present, that MUST 2133 be used as the identity. Otherwise, the (most specific) Common Name 2134 field in the Subject field of the certificate MUST be used. Although 2135 the use of the Common Name is existing practice, it is deprecated and 2136 Certification Authorities are encouraged to use the dNSName instead. 2138 Matching is performed using the matching rules specified by 2139 [RFC5280]. If more than one identity of a given type is present in 2140 the certificate (e.g., more than one dNSName name, a match in any one 2141 of the set is considered acceptable.) Names may contain the wildcard 2142 character * which is considered to match any single domain name 2143 component or component fragment. E.g., *.a.com matches foo.a.com but 2144 not bar.foo.a.com. f*.com matches foo.com but not bar.com. 2146 In some cases, the URI is specified as an IP address rather than a 2147 hostname. In this case, the iPAddress subjectAltName must be present 2148 in the certificate and must exactly match the IP in the URI. 2150 If the hostname does not match the identity in the certificate, user 2151 oriented clients MUST either notify the user (clients MAY give the 2152 user the opportunity to continue with the connection in any case) or 2153 terminate the connection with a bad certificate error. Automated 2154 clients MUST log the error to an appropriate audit log (if available) 2155 and SHOULD terminate the connection (with a bad certificate error). 2156 Automated clients MAY provide a configuration setting that disables 2157 this check, but MUST provide a setting which enables it. 2159 Note that in many cases the URI itself comes from an untrusted 2160 source. The above-described check provides no protection against 2161 attacks where this source is compromised. For example, if the URI 2162 was obtained by clicking on an HTML page which was itself obtained 2163 without using HTTP/TLS, a man in the middle could have replaced the 2164 URI. In order to prevent this form of attack, users should carefully 2165 examine the certificate presented by the server to determine if it 2166 meets their expectations. 2168 6.4.3.2. Identifying HTTPS Clients 2170 Typically, the server has no external knowledge of what the client's 2171 identity ought to be and so checks (other than that the client has a 2172 certificate chain rooted in an appropriate CA) are not possible. If 2173 a server has such knowledge (typically from some source external to 2174 HTTP or TLS) it SHOULD check the identity as described above. 2176 6.5. Reconstructing the Target URI 2178 Once an inbound connection is obtained, the client sends an HTTP 2179 request message (Section 2 of [Messaging]). 2181 Depending on the nature of the request, the client's target URI might 2182 be split into components and transmitted (or implied) within various 2183 parts of a request message. These parts are recombined by each 2184 recipient, in accordance with their local configuration and incoming 2185 connection context, to determine the target URI. Appendix of 2186 [Messaging] defines how a server determines the target URI for an 2187 HTTP/1.1 request. 2189 Once the target URI has been reconstructed, an origin server needs to 2190 decide whether or not to provide service for that URI via the 2191 connection in which the request was received. For example, the 2192 request might have been misdirected, deliberately or accidentally, 2193 such that the information within a received Host header field differs 2194 from the host or port upon which the connection has been made. If 2195 the connection is from a trusted gateway, that inconsistency might be 2196 expected; otherwise, it might indicate an attempt to bypass security 2197 filters, trick the server into delivering non-public content, or 2198 poison a cache. See Section 12 for security considerations regarding 2199 message routing. 2201 Note: previous specifications defined the recomposed target URI as 2202 a distinct concept, the effective request URI. 2204 6.6. Host 2206 The "Host" header field in a request provides the host and port 2207 information from the target URI, enabling the origin server to 2208 distinguish among resources while servicing requests for multiple 2209 host names on a single IP address. 2211 Host = uri-host [ ":" port ] ; Section 2.4 2213 A client MUST send a Host header field in all HTTP/1.1 request 2214 messages. If the target URI includes an authority component, then a 2215 client MUST send a field value for Host that is identical to that 2216 authority component, excluding any userinfo subcomponent and its "@" 2217 delimiter (Section 2.5.1). If the authority component is missing or 2218 undefined for the target URI, then a client MUST send a Host header 2219 field with an empty field value. 2221 Since the Host field value is critical information for handling a 2222 request, a user agent SHOULD generate Host as the first header field 2223 following the request-line. 2225 For example, a GET request to the origin server for 2226 would begin with: 2228 GET /pub/WWW/ HTTP/1.1 2229 Host: www.example.org 2231 Since the Host header field acts as an application-level routing 2232 mechanism, it is a frequent target for malware seeking to poison a 2233 shared cache or redirect a request to an unintended server. An 2234 interception proxy is particularly vulnerable if it relies on the 2235 Host field value for redirecting requests to internal servers, or for 2236 use as a cache key in a shared cache, without first verifying that 2237 the intercepted connection is targeting a valid IP address for that 2238 host. 2240 A server MUST respond with a 400 (Bad Request) status code to any 2241 HTTP/1.1 request message that lacks a Host header field and to any 2242 request message that contains more than one Host header field or a 2243 Host header field with an invalid field value. 2245 6.7. Message Forwarding 2247 As described in Section 2.2, intermediaries can serve a variety of 2248 roles in the processing of HTTP requests and responses. Some 2249 intermediaries are used to improve performance or availability. 2250 Others are used for access control or to filter content. Since an 2251 HTTP stream has characteristics similar to a pipe-and-filter 2252 architecture, there are no inherent limits to the extent an 2253 intermediary can enhance (or interfere) with either direction of the 2254 stream. 2256 An intermediary not acting as a tunnel MUST implement the Connection 2257 header field, as specified in Section 9.1 of [Messaging], and exclude 2258 fields from being forwarded that are only intended for the incoming 2259 connection. 2261 An intermediary MUST NOT forward a message to itself unless it is 2262 protected from an infinite request loop. In general, an intermediary 2263 ought to recognize its own server names, including any aliases, local 2264 variations, or literal IP addresses, and respond to such requests 2265 directly. 2267 An HTTP message can be parsed as a stream for incremental processing 2268 or forwarding downstream. However, recipients cannot rely on 2269 incremental delivery of partial messages, since some implementations 2270 will buffer or delay message forwarding for the sake of network 2271 efficiency, security checks, or payload transformations. 2273 6.7.1. Via 2275 The "Via" header field indicates the presence of intermediate 2276 protocols and recipients between the user agent and the server (on 2277 requests) or between the origin server and the client (on responses), 2278 similar to the "Received" header field in email (Section 3.6.7 of 2279 [RFC5322]). Via can be used for tracking message forwards, avoiding 2280 request loops, and identifying the protocol capabilities of senders 2281 along the request/response chain. 2283 Via = 1#( received-protocol RWS received-by [ RWS comment ] ) 2285 received-protocol = [ protocol-name "/" ] protocol-version 2286 ; see [Messaging], Section 9.9 2287 received-by = pseudonym [ ":" port ] 2288 pseudonym = token 2290 Each member of the Via field value represents a proxy or gateway that 2291 has forwarded the message. Each intermediary appends its own 2292 information about how the message was received, such that the end 2293 result is ordered according to the sequence of forwarding recipients. 2295 A proxy MUST send an appropriate Via header field, as described 2296 below, in each message that it forwards. An HTTP-to-HTTP gateway 2297 MUST send an appropriate Via header field in each inbound request 2298 message and MAY send a Via header field in forwarded response 2299 messages. 2301 For each intermediary, the received-protocol indicates the protocol 2302 and protocol version used by the upstream sender of the message. 2303 Hence, the Via field value records the advertised protocol 2304 capabilities of the request/response chain such that they remain 2305 visible to downstream recipients; this can be useful for determining 2306 what backwards-incompatible features might be safe to use in 2307 response, or within a later request, as described in Section 4.2. 2308 For brevity, the protocol-name is omitted when the received protocol 2309 is HTTP. 2311 The received-by portion is normally the host and optional port number 2312 of a recipient server or client that subsequently forwarded the 2313 message. However, if the real host is considered to be sensitive 2314 information, a sender MAY replace it with a pseudonym. If a port is 2315 not provided, a recipient MAY interpret that as meaning it was 2316 received on the default TCP port, if any, for the received-protocol. 2318 A sender MAY generate comments to identify the software of each 2319 recipient, analogous to the User-Agent and Server header fields. 2320 However, comments in Via are optional, and a recipient MAY remove 2321 them prior to forwarding the message. 2323 For example, a request message could be sent from an HTTP/1.0 user 2324 agent to an internal proxy code-named "fred", which uses HTTP/1.1 to 2325 forward the request to a public proxy at p.example.net, which 2326 completes the request by forwarding it to the origin server at 2327 www.example.com. The request received by www.example.com would then 2328 have the following Via header field: 2330 Via: 1.0 fred, 1.1 p.example.net 2332 An intermediary used as a portal through a network firewall SHOULD 2333 NOT forward the names and ports of hosts within the firewall region 2334 unless it is explicitly enabled to do so. If not enabled, such an 2335 intermediary SHOULD replace each received-by host of any host behind 2336 the firewall by an appropriate pseudonym for that host. 2338 An intermediary MAY combine an ordered subsequence of Via header 2339 field list members into a single member if the entries have identical 2340 received-protocol values. For example, 2342 Via: 1.0 ricky, 1.1 ethel, 1.1 fred, 1.0 lucy 2344 could be collapsed to 2346 Via: 1.0 ricky, 1.1 mertz, 1.0 lucy 2348 A sender SHOULD NOT combine multiple list members unless they are all 2349 under the same organizational control and the hosts have already been 2350 replaced by pseudonyms. A sender MUST NOT combine members that have 2351 different received-protocol values. 2353 6.7.2. Transformations 2355 Some intermediaries include features for transforming messages and 2356 their payloads. A proxy might, for example, convert between image 2357 formats in order to save cache space or to reduce the amount of 2358 traffic on a slow link. However, operational problems might occur 2359 when these transformations are applied to payloads intended for 2360 critical applications, such as medical imaging or scientific data 2361 analysis, particularly when integrity checks or digital signatures 2362 are used to ensure that the payload received is identical to the 2363 original. 2365 An HTTP-to-HTTP proxy is called a "transforming proxy" if it is 2366 designed or configured to modify messages in a semantically 2367 meaningful way (i.e., modifications, beyond those required by normal 2368 HTTP processing, that change the message in a way that would be 2369 significant to the original sender or potentially significant to 2370 downstream recipients). For example, a transforming proxy might be 2371 acting as a shared annotation server (modifying responses to include 2372 references to a local annotation database), a malware filter, a 2373 format transcoder, or a privacy filter. Such transformations are 2374 presumed to be desired by whichever client (or client organization) 2375 selected the proxy. 2377 If a proxy receives a target URI with a host name that is not a fully 2378 qualified domain name, it MAY add its own domain to the host name it 2379 received when forwarding the request. A proxy MUST NOT change the 2380 host name if the target URI contains a fully qualified domain name. 2382 A proxy MUST NOT modify the "absolute-path" and "query" parts of the 2383 received target URI when forwarding it to the next inbound server, 2384 except as noted above to replace an empty path with "/" or "*". 2386 A proxy MAY modify the message body through application or removal of 2387 a transfer coding (Section 7 of [Messaging]). 2389 A proxy MUST NOT transform the payload (Section 7.3) of a message 2390 that contains a no-transform cache-control response directive 2391 (Section 5.2 of [Caching]). 2393 A proxy MAY transform the payload of a message that does not contain 2394 a no-transform cache-control directive. A proxy that transforms the 2395 payload of a 200 (OK) response can inform downstream recipients that 2396 a transformation has been applied by changing the response status 2397 code to 203 (Non-Authoritative Information) (Section 10.3.4). 2399 A proxy SHOULD NOT modify header fields that provide information 2400 about the endpoints of the communication chain, the resource state, 2401 or the selected representation (other than the payload) unless the 2402 field's definition specifically allows such modification or the 2403 modification is deemed necessary for privacy or security. 2405 7. Representations 2407 Considering that a resource could be anything, and that the uniform 2408 interface provided by HTTP is similar to a window through which one 2409 can observe and act upon such a thing only through the communication 2410 of messages to some independent actor on the other side, an 2411 abstraction is needed to represent ("take the place of") the current 2412 or desired state of that thing in our communications. That 2413 abstraction is called a representation [REST]. 2415 For the purposes of HTTP, a "representation" is information that is 2416 intended to reflect a past, current, or desired state of a given 2417 resource, in a format that can be readily communicated via the 2418 protocol, and that consists of a set of representation metadata and a 2419 potentially unbounded stream of representation data. 2421 An origin server might be provided with, or be capable of generating, 2422 multiple representations that are each intended to reflect the 2423 current state of a target resource. In such cases, some algorithm is 2424 used by the origin server to select one of those representations as 2425 most applicable to a given request, usually based on content 2426 negotiation. This "selected representation" is used to provide the 2427 data and metadata for evaluating conditional requests (Section 9.2) 2428 and constructing the payload for 200 (OK), 206 (Partial Content), and 2429 304 (Not Modified) responses to GET (Section 8.3.1). 2431 7.1. Representation Data 2433 The representation data associated with an HTTP message is either 2434 provided as the payload body of the message or referred to by the 2435 message semantics and the target URI. The representation data is in 2436 a format and encoding defined by the representation metadata header 2437 fields. 2439 The data type of the representation data is determined via the header 2440 fields Content-Type and Content-Encoding. These define a two-layer, 2441 ordered encoding model: 2443 representation-data := Content-Encoding( Content-Type( bits ) ) 2445 7.1.1. Media Type 2447 HTTP uses media types [RFC2046] in the Content-Type (Section 7.2.1) 2448 and Accept (Section 9.4.1) header fields in order to provide open and 2449 extensible data typing and type negotiation. Media types define both 2450 a data format and various processing models: how to process that data 2451 in accordance with each context in which it is received. 2453 media-type = type "/" subtype *( OWS ";" OWS parameter ) 2454 type = token 2455 subtype = token 2457 The type and subtype tokens are case-insensitive. 2459 The type/subtype MAY be followed by semicolon-delimited parameters 2460 (Section 5.4.1.4) in the form of name=value pairs. The presence or 2461 absence of a parameter might be significant to the processing of a 2462 media type, depending on its definition within the media type 2463 registry. Parameter values might or might not be case-sensitive, 2464 depending on the semantics of the parameter name. 2466 For example, the following media types are equivalent in describing 2467 HTML text data encoded in the UTF-8 character encoding scheme, but 2468 the first is preferred for consistency (the "charset" parameter value 2469 is defined as being case-insensitive in [RFC2046], Section 4.1.2): 2471 text/html;charset=utf-8 2472 Text/HTML;Charset="utf-8" 2473 text/html; charset="utf-8" 2474 text/html;charset=UTF-8 2476 Media types ought to be registered with IANA according to the 2477 procedures defined in [BCP13]. 2479 7.1.1.1. Charset 2481 HTTP uses charset names to indicate or negotiate the character 2482 encoding scheme of a textual representation [RFC6365]. A charset is 2483 identified by a case-insensitive token. 2485 charset = token 2487 Charset names ought to be registered in the IANA "Character Sets" 2488 registry () 2489 according to the procedures defined in Section 2 of [RFC2978]. 2491 Note: In theory, charset names are defined by the "mime-charset" 2492 ABNF rule defined in Section 2.3 of [RFC2978] (as corrected in 2494 [Err1912]). That rule allows two characters that are not included 2495 in "token" ("{" and "}"), but no charset name registered at the 2496 time of this writing includes braces (see [Err5433]). 2498 7.1.1.2. Canonicalization and Text Defaults 2500 Media types are registered with a canonical form in order to be 2501 interoperable among systems with varying native encoding formats. 2502 Representations selected or transferred via HTTP ought to be in 2503 canonical form, for many of the same reasons described by the 2504 Multipurpose Internet Mail Extensions (MIME) [RFC2045]. However, the 2505 performance characteristics of email deployments (i.e., store and 2506 forward messages to peers) are significantly different from those 2507 common to HTTP and the Web (server-based information services). 2508 Furthermore, MIME's constraints for the sake of compatibility with 2509 older mail transfer protocols do not apply to HTTP (see Appendix B of 2510 [Messaging]). 2512 MIME's canonical form requires that media subtypes of the "text" type 2513 use CRLF as the text line break. HTTP allows the transfer of text 2514 media with plain CR or LF alone representing a line break, when such 2515 line breaks are consistent for an entire representation. An HTTP 2516 sender MAY generate, and a recipient MUST be able to parse, line 2517 breaks in text media that consist of CRLF, bare CR, or bare LF. In 2518 addition, text media in HTTP is not limited to charsets that use 2519 octets 13 and 10 for CR and LF, respectively. This flexibility 2520 regarding line breaks applies only to text within a representation 2521 that has been assigned a "text" media type; it does not apply to 2522 "multipart" types or HTTP elements outside the payload body (e.g., 2523 header fields). 2525 If a representation is encoded with a content-coding, the underlying 2526 data ought to be in a form defined above prior to being encoded. 2528 7.1.1.3. Multipart Types 2530 MIME provides for a number of "multipart" types -- encapsulations of 2531 one or more representations within a single message body. All 2532 multipart types share a common syntax, as defined in Section 5.1.1 of 2533 [RFC2046], and include a boundary parameter as part of the media type 2534 value. The message body is itself a protocol element; a sender MUST 2535 generate only CRLF to represent line breaks between body parts. 2537 HTTP message framing does not use the multipart boundary as an 2538 indicator of message body length, though it might be used by 2539 implementations that generate or process the payload. For example, 2540 the "multipart/form-data" type is often used for carrying form data 2541 in a request, as described in [RFC7578], and the "multipart/ 2542 byteranges" type is defined by this specification for use in some 206 2543 (Partial Content) responses (see Section 10.3.7). 2545 7.1.2. Content Codings 2547 Content coding values indicate an encoding transformation that has 2548 been or can be applied to a representation. Content codings are 2549 primarily used to allow a representation to be compressed or 2550 otherwise usefully transformed without losing the identity of its 2551 underlying media type and without loss of information. Frequently, 2552 the representation is stored in coded form, transmitted directly, and 2553 only decoded by the final recipient. 2555 content-coding = token 2557 All content codings are case-insensitive and ought to be registered 2558 within the "HTTP Content Coding Registry", as defined in 2559 Section 7.1.2.4 2561 Content-coding values are used in the Accept-Encoding (Section 9.4.3) 2562 and Content-Encoding (Section 7.2.2) header fields. 2564 The following content-coding values are defined by this 2565 specification: 2567 +------------+------------------------------------------+-----------+ 2568 | Name | Description | Reference | 2569 +------------+------------------------------------------+-----------+ 2570 | compress | UNIX "compress" data format [Welch] | Section 7 | 2571 | | | .1.2.1 | 2572 | deflate | "deflate" compressed data ([RFC1951]) | Section 7 | 2573 | | inside the "zlib" data format | .1.2.2 | 2574 | | ([RFC1950]) | | 2575 | gzip | GZIP file format [RFC1952] | Section 7 | 2576 | | | .1.2.3 | 2577 | identity | Reserved | Section 9 | 2578 | | | .4.3 | 2579 | x-compress | Deprecated (alias for compress) | Section 7 | 2580 | | | .1.2.1 | 2581 | x-gzip | Deprecated (alias for gzip) | Section 7 | 2582 | | | .1.2.3 | 2583 +------------+------------------------------------------+-----------+ 2585 Table 2 2587 7.1.2.1. Compress Coding 2589 The "compress" coding is an adaptive Lempel-Ziv-Welch (LZW) coding 2590 [Welch] that is commonly produced by the UNIX file compression 2591 program "compress". A recipient SHOULD consider "x-compress" to be 2592 equivalent to "compress". 2594 7.1.2.2. Deflate Coding 2596 The "deflate" coding is a "zlib" data format [RFC1950] containing a 2597 "deflate" compressed data stream [RFC1951] that uses a combination of 2598 the Lempel-Ziv (LZ77) compression algorithm and Huffman coding. 2600 Note: Some non-conformant implementations send the "deflate" 2601 compressed data without the zlib wrapper. 2603 7.1.2.3. Gzip Coding 2605 The "gzip" coding is an LZ77 coding with a 32-bit Cyclic Redundancy 2606 Check (CRC) that is commonly produced by the gzip file compression 2607 program [RFC1952]. A recipient SHOULD consider "x-gzip" to be 2608 equivalent to "gzip". 2610 7.1.2.4. Content Coding Registry 2612 The "HTTP Content Coding Registry", maintained by IANA at 2613 , registers 2614 content-coding names. 2616 Content coding registrations MUST include the following fields: 2618 o Name 2620 o Description 2622 o Pointer to specification text 2624 Names of content codings MUST NOT overlap with names of transfer 2625 codings (Section 7 of [Messaging]), unless the encoding 2626 transformation is identical (as is the case for the compression 2627 codings defined in Section 7.1.2). 2629 Values to be added to this namespace require IETF Review (see 2630 Section 4.8 of [RFC8126]) and MUST conform to the purpose of content 2631 coding defined in Section 7.1.2. 2633 7.1.3. Language Tags 2635 A language tag, as defined in [RFC5646], identifies a natural 2636 language spoken, written, or otherwise conveyed by human beings for 2637 communication of information to other human beings. Computer 2638 languages are explicitly excluded. 2640 HTTP uses language tags within the Accept-Language and Content- 2641 Language header fields. Accept-Language uses the broader language- 2642 range production defined in Section 9.4.4, whereas Content-Language 2643 uses the language-tag production defined below. 2645 language-tag = 2647 A language tag is a sequence of one or more case-insensitive subtags, 2648 each separated by a hyphen character ("-", %x2D). In most cases, a 2649 language tag consists of a primary language subtag that identifies a 2650 broad family of related languages (e.g., "en" = English), which is 2651 optionally followed by a series of subtags that refine or narrow that 2652 language's range (e.g., "en-CA" = the variety of English as 2653 communicated in Canada). Whitespace is not allowed within a language 2654 tag. Example tags include: 2656 fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN 2658 See [RFC5646] for further information. 2660 7.1.4. Range Units 2662 Representation data can be partitioned into subranges when there are 2663 addressable structural units inherent to that data's content coding 2664 or media type. For example, octet (a.k.a., byte) boundaries are a 2665 structural unit common to all representation data, allowing 2666 partitions of the data to be identified as a range of bytes at some 2667 offset from the start or end of that data. 2669 This general notion of a "range unit" is used in the Accept-Ranges 2670 (Section 11.4.1) response header field to advertise support for range 2671 requests, the Range (Section 9.3) request header field to delineate 2672 the parts of a representation that are requested, and the Content- 2673 Range (Section 7.3.4) payload header field to describe which part of 2674 a representation is being transferred. 2676 range-unit = token 2678 All range unit names are case-insensitive and ought to be registered 2679 within the "HTTP Range Unit Registry", as defined in Section 7.1.4.4 2680 The following range unit names are defined by this document: 2682 +------------+-----------------------------------------+------------+ 2683 | Range Unit | Description | Reference | 2684 | Name | | | 2685 +------------+-----------------------------------------+------------+ 2686 | bytes | a range of octets | Section 7. | 2687 | | | 1.4.2 | 2688 | none | reserved as keyword to indicate range | Section 11 | 2689 | | requests are not supported | .4.1 | 2690 +------------+-----------------------------------------+------------+ 2692 Table 3 2694 7.1.4.1. Range Specifiers 2696 Ranges are expressed in terms of a range unit paired with a set of 2697 range specifiers. The range unit name determines what kinds of 2698 range-spec are applicable to its own specifiers. Hence, the 2699 following gramar is generic: each range unit is expected to specify 2700 requirements on when int-range, suffix-range, and other-range are 2701 allowed. 2703 A range request can specify a single range or a set of ranges within 2704 a single representation. 2706 ranges-specifier = range-unit "=" range-set 2707 range-set = 1#range-spec 2708 range-spec = int-range 2709 / suffix-range 2710 / other-range 2712 An int-range is a range expressed as two non-negative integers or as 2713 one non-negative integer through to the end of the representation 2714 data. The range unit specifies what the integers mean (e.g., they 2715 might indicate unit offsets from the beginning, inclusive numbered 2716 parts, etc.). 2718 int-range = first-pos "-" [ last-pos ] 2719 first-pos = 1*DIGIT 2720 last-pos = 1*DIGIT 2722 An int-range is invalid if the last-pos value is present and less 2723 than the first-pos. 2725 A suffix-range is a range expressed as a suffix of the representation 2726 data with the provided non-negative integer maximum length (in range 2727 units). In other words, the last N units of the representation data. 2729 suffix-range = "-" suffix-length 2730 suffix-length = 1*DIGIT 2732 To provide for extensibility, the other-range rule is a mostly 2733 unconstrained grammar that allows application-specific or future 2734 range units to define additional range specifiers. 2736 other-range = 1*( %x21-2B / %x2D-7E ) 2737 ; 1*(VCHAR excluding comma) 2739 7.1.4.2. Byte Ranges 2741 The "bytes" range unit is used to express subranges of a 2742 representation data's octet sequence. Each byte range is expressed 2743 as an integer range at some offset, relative to either the beginning 2744 (int-range) or end (suffix-range) of the representation data. Byte 2745 ranges do not use the other-range specifier. 2747 The first-pos value in a bytes int-range gives the offset of the 2748 first byte in a range. The last-pos value gives the offset of the 2749 last byte in the range; that is, the byte positions specified are 2750 inclusive. Byte offsets start at zero. 2752 If the representation data has a content coding applied, each byte 2753 range is calculated with respect to the encoded sequence of bytes, 2754 not the sequence of underlying bytes that would be obtained after 2755 decoding. 2757 Examples of bytes range specifiers: 2759 o The first 500 bytes (byte offsets 0-499, inclusive): 2761 bytes=0-499 2763 o The second 500 bytes (byte offsets 500-999, inclusive): 2765 bytes=500-999 2767 A client can limit the number of bytes requested without knowing the 2768 size of the selected representation. If the last-pos value is 2769 absent, or if the value is greater than or equal to the current 2770 length of the representation data, the byte range is interpreted as 2771 the remainder of the representation (i.e., the server replaces the 2772 value of last-pos with a value that is one less than the current 2773 length of the selected representation). 2775 A client can request the last N bytes (N > 0) of the selected 2776 representation using a suffix-range. If the selected representation 2777 is shorter than the specified suffix-length, the entire 2778 representation is used. 2780 Additional examples, assuming a representation of length 10000: 2782 o The final 500 bytes (byte offsets 9500-9999, inclusive): 2784 bytes=-500 2786 Or: 2788 bytes=9500- 2790 o The first and last bytes only (bytes 0 and 9999): 2792 bytes=0-0,-1 2794 o The first, middle, and last 1000 bytes: 2796 bytes= 0-999, 4500-5499, -1000 2798 o Other valid (but not canonical) specifications of the second 500 2799 bytes (byte offsets 500-999, inclusive): 2801 bytes=500-600,601-999 2802 bytes=500-700,601-999 2804 If a valid bytes range-set includes at least one range-spec with a 2805 first-pos that is less than the current length of the representation, 2806 or at least one suffix-range with a non-zero suffix-length, then the 2807 bytes range-set is satisfiable. Otherwise, the bytes range-set is 2808 unsatisfiable. 2810 If the selected representation has zero length, the only satisfiable 2811 form of range-spec is a suffix-range with a non-zero suffix-length. 2813 In the byte-range syntax, first-pos, last-pos, and suffix-length are 2814 expressed as decimal number of octets. Since there is no predefined 2815 limit to the length of a payload, recipients MUST anticipate 2816 potentially large decimal numerals and prevent parsing errors due to 2817 integer conversion overflows. 2819 7.1.4.3. Other Range Units 2821 Other range units, such as format-specific boundaries like pages, 2822 sections, records, rows, or time, are potentially usable in HTTP for 2823 application-specific purposes, but are not commonly used in practice. 2824 Implementors of alternative range units ought to consider how they 2825 would work with content codings and general-purpose intermediaries. 2827 Range units are intended to be extensible. New range units ought to 2828 be registered with IANA, as defined in Section 7.1.4.4. 2830 7.1.4.4. Range Unit Registry 2832 The "HTTP Range Unit Registry" defines the namespace for the range 2833 unit names and refers to their corresponding specifications. It is 2834 maintained at . 2836 Registration of an HTTP Range Unit MUST include the following fields: 2838 o Name 2840 o Description 2842 o Pointer to specification text 2844 Values to be added to this namespace require IETF Review (see 2845 [RFC8126], Section 4.8). 2847 7.2. Representation Metadata 2849 Representation header fields provide metadata about the 2850 representation. When a message includes a payload body, the 2851 representation header fields describe how to interpret the 2852 representation data enclosed in the payload body. In a response to a 2853 HEAD request, the representation header fields describe the 2854 representation data that would have been enclosed in the payload body 2855 if the same request had been a GET. 2857 The following header fields convey representation metadata: 2859 +------------------+---------------+ 2860 | Field Name | Defined in... | 2861 +------------------+---------------+ 2862 | Content-Type | Section 7.2.1 | 2863 | Content-Encoding | Section 7.2.2 | 2864 | Content-Language | Section 7.2.3 | 2865 | Content-Length | Section 7.2.4 | 2866 | Content-Location | Section 7.2.5 | 2867 +------------------+---------------+ 2869 7.2.1. Content-Type 2871 The "Content-Type" header field indicates the media type of the 2872 associated representation: either the representation enclosed in the 2873 message payload or the selected representation, as determined by the 2874 message semantics. The indicated media type defines both the data 2875 format and how that data is intended to be processed by a recipient, 2876 within the scope of the received message semantics, after any content 2877 codings indicated by Content-Encoding are decoded. 2879 Content-Type = media-type 2881 Media types are defined in Section 7.1.1. An example of the field is 2883 Content-Type: text/html; charset=ISO-8859-4 2885 A sender that generates a message containing a payload body SHOULD 2886 generate a Content-Type header field in that message unless the 2887 intended media type of the enclosed representation is unknown to the 2888 sender. If a Content-Type header field is not present, the recipient 2889 MAY either assume a media type of "application/octet-stream" 2890 ([RFC2046], Section 4.5.1) or examine the data to determine its type. 2892 In practice, resource owners do not always properly configure their 2893 origin server to provide the correct Content-Type for a given 2894 representation. Some user agents examine a payload's content and, in 2895 certain cases, override the received type (for example, see 2896 [Sniffing]). This "MIME sniffing" risks drawing incorrect 2897 conclusions about the data, which might expose the user to additional 2898 security risks (e.g., "privilege escalation"). Furthermore, it is 2899 impossible to determine the sender's intended processing model by 2900 examining the data format: many data formats match multiple media 2901 types that differ only in processing semantics. Implementers are 2902 encouraged to provide a means to disable such sniffing. 2904 7.2.2. Content-Encoding 2906 The "Content-Encoding" header field indicates what content codings 2907 have been applied to the representation, beyond those inherent in the 2908 media type, and thus what decoding mechanisms have to be applied in 2909 order to obtain data in the media type referenced by the Content-Type 2910 header field. Content-Encoding is primarily used to allow a 2911 representation's data to be compressed without losing the identity of 2912 its underlying media type. 2914 Content-Encoding = 1#content-coding 2916 An example of its use is 2918 Content-Encoding: gzip 2920 If one or more encodings have been applied to a representation, the 2921 sender that applied the encodings MUST generate a Content-Encoding 2922 header field that lists the content codings in the order in which 2923 they were applied. Note that the coding named "identity" is reserved 2924 for its special role in Accept-Encoding, and thus SHOULD NOT be 2925 included. 2927 Additional information about the encoding parameters can be provided 2928 by other header fields not defined by this specification. 2930 Unlike Transfer-Encoding (Section 6.1 of [Messaging]), the codings 2931 listed in Content-Encoding are a characteristic of the 2932 representation; the representation is defined in terms of the coded 2933 form, and all other metadata about the representation is about the 2934 coded form unless otherwise noted in the metadata definition. 2935 Typically, the representation is only decoded just prior to rendering 2936 or analogous usage. 2938 If the media type includes an inherent encoding, such as a data 2939 format that is always compressed, then that encoding would not be 2940 restated in Content-Encoding even if it happens to be the same 2941 algorithm as one of the content codings. Such a content coding would 2942 only be listed if, for some bizarre reason, it is applied a second 2943 time to form the representation. Likewise, an origin server might 2944 choose to publish the same data as multiple representations that 2945 differ only in whether the coding is defined as part of Content-Type 2946 or Content-Encoding, since some user agents will behave differently 2947 in their handling of each response (e.g., open a "Save as ..." dialog 2948 instead of automatic decompression and rendering of content). 2950 An origin server MAY respond with a status code of 415 (Unsupported 2951 Media Type) if a representation in the request message has a content 2952 coding that is not acceptable. 2954 7.2.3. Content-Language 2956 The "Content-Language" header field describes the natural language(s) 2957 of the intended audience for the representation. Note that this 2958 might not be equivalent to all the languages used within the 2959 representation. 2961 Content-Language = 1#language-tag 2963 Language tags are defined in Section 7.1.3. The primary purpose of 2964 Content-Language is to allow a user to identify and differentiate 2965 representations according to the users' own preferred language. 2966 Thus, if the content is intended only for a Danish-literate audience, 2967 the appropriate field is 2969 Content-Language: da 2971 If no Content-Language is specified, the default is that the content 2972 is intended for all language audiences. This might mean that the 2973 sender does not consider it to be specific to any natural language, 2974 or that the sender does not know for which language it is intended. 2976 Multiple languages MAY be listed for content that is intended for 2977 multiple audiences. For example, a rendition of the "Treaty of 2978 Waitangi", presented simultaneously in the original Maori and English 2979 versions, would call for 2981 Content-Language: mi, en 2983 However, just because multiple languages are present within a 2984 representation does not mean that it is intended for multiple 2985 linguistic audiences. An example would be a beginner's language 2986 primer, such as "A First Lesson in Latin", which is clearly intended 2987 to be used by an English-literate audience. In this case, the 2988 Content-Language would properly only include "en". 2990 Content-Language MAY be applied to any media type -- it is not 2991 limited to textual documents. 2993 7.2.4. Content-Length 2995 [[CREF1: The "Content-Length" header field indicates the number of 2996 data octets (body length) for the representation. In some cases, 2997 Content-Length is used to define or estimate message framing. ]] 2998 Content-Length = 1*DIGIT 3000 An example is 3002 Content-Length: 3495 3004 A sender MUST NOT send a Content-Length header field in any message 3005 that contains a Transfer-Encoding header field. 3007 A user agent SHOULD send a Content-Length in a request message when 3008 no Transfer-Encoding is sent and the request method defines a meaning 3009 for an enclosed payload body. For example, a Content-Length header 3010 field is normally sent in a POST request even when the value is 0 3011 (indicating an empty payload body). A user agent SHOULD NOT send a 3012 Content-Length header field when the request message does not contain 3013 a payload body and the method semantics do not anticipate such a 3014 body. 3016 A server MAY send a Content-Length header field in a response to a 3017 HEAD request (Section 8.3.2); a server MUST NOT send Content-Length 3018 in such a response unless its field value equals the decimal number 3019 of octets that would have been sent in the payload body of a response 3020 if the same request had used the GET method. 3022 A server MAY send a Content-Length header field in a 304 (Not 3023 Modified) response to a conditional GET request (Section 10.4.5); a 3024 server MUST NOT send Content-Length in such a response unless its 3025 field value equals the decimal number of octets that would have been 3026 sent in the payload body of a 200 (OK) response to the same request. 3028 A server MUST NOT send a Content-Length header field in any response 3029 with a status code of 1xx (Informational) or 204 (No Content). A 3030 server MUST NOT send a Content-Length header field in any 2xx 3031 (Successful) response to a CONNECT request (Section 8.3.6). 3033 Aside from the cases defined above, in the absence of Transfer- 3034 Encoding, an origin server SHOULD send a Content-Length header field 3035 when the payload body size is known prior to sending the complete 3036 header section. This will allow downstream recipients to measure 3037 transfer progress, know when a received message is complete, and 3038 potentially reuse the connection for additional requests. 3040 Any Content-Length field value greater than or equal to zero is 3041 valid. Since there is no predefined limit to the length of a 3042 payload, a recipient MUST anticipate potentially large decimal 3043 numerals and prevent parsing errors due to integer conversion 3044 overflows (Section 12.5). 3046 If a message is received that has a Content-Length header field value 3047 consisting of the same decimal value as a comma-separated list 3048 (Section 5.5) -- for example, "Content-Length: 42, 42" -- indicating 3049 that duplicate Content-Length header fields have been generated or 3050 combined by an upstream message processor, then the recipient MUST 3051 either reject the message as invalid or replace the duplicated field 3052 values with a single valid Content-Length field containing that 3053 decimal value prior to determining the message body length or 3054 forwarding the message. 3056 7.2.5. Content-Location 3058 The "Content-Location" header field references a URI that can be used 3059 as an identifier for a specific resource corresponding to the 3060 representation in this message's payload. In other words, if one 3061 were to perform a GET request on this URI at the time of this 3062 message's generation, then a 200 (OK) response would contain the same 3063 representation that is enclosed as payload in this message. 3065 Content-Location = absolute-URI / partial-URI 3067 The field value is either an absolute-URI or a partial-URI. In the 3068 latter case (Section 2.4), the referenced URI is relative to the 3069 target URI ([RFC3986], Section 5). 3071 The Content-Location value is not a replacement for the target URI 3072 (Section 6.1). It is representation metadata. It has the same 3073 syntax and semantics as the header field of the same name defined for 3074 MIME body parts in Section 4 of [RFC2557]. However, its appearance 3075 in an HTTP message has some special implications for HTTP recipients. 3077 If Content-Location is included in a 2xx (Successful) response 3078 message and its value refers (after conversion to absolute form) to a 3079 URI that is the same as the target URI, then the recipient MAY 3080 consider the payload to be a current representation of that resource 3081 at the time indicated by the message origination date. For a GET 3082 (Section 8.3.1) or HEAD (Section 8.3.2) request, this is the same as 3083 the default semantics when no Content-Location is provided by the 3084 server. For a state-changing request like PUT (Section 8.3.4) or 3085 POST (Section 8.3.3), it implies that the server's response contains 3086 the new representation of that resource, thereby distinguishing it 3087 from representations that might only report about the action (e.g., 3088 "It worked!"). This allows authoring applications to update their 3089 local copies without the need for a subsequent GET request. 3091 If Content-Location is included in a 2xx (Successful) response 3092 message and its field value refers to a URI that differs from the 3093 target URI, then the origin server claims that the URI is an 3094 identifier for a different resource corresponding to the enclosed 3095 representation. Such a claim can only be trusted if both identifiers 3096 share the same resource owner, which cannot be programmatically 3097 determined via HTTP. 3099 o For a response to a GET or HEAD request, this is an indication 3100 that the target URI refers to a resource that is subject to 3101 content negotiation and the Content-Location field value is a more 3102 specific identifier for the selected representation. 3104 o For a 201 (Created) response to a state-changing method, a 3105 Content-Location field value that is identical to the Location 3106 field value indicates that this payload is a current 3107 representation of the newly created resource. 3109 o Otherwise, such a Content-Location indicates that this payload is 3110 a representation reporting on the requested action's status and 3111 that the same report is available (for future access with GET) at 3112 the given URI. For example, a purchase transaction made via a 3113 POST request might include a receipt document as the payload of 3114 the 200 (OK) response; the Content-Location field value provides 3115 an identifier for retrieving a copy of that same receipt in the 3116 future. 3118 A user agent that sends Content-Location in a request message is 3119 stating that its value refers to where the user agent originally 3120 obtained the content of the enclosed representation (prior to any 3121 modifications made by that user agent). In other words, the user 3122 agent is providing a back link to the source of the original 3123 representation. 3125 An origin server that receives a Content-Location field in a request 3126 message MUST treat the information as transitory request context 3127 rather than as metadata to be saved verbatim as part of the 3128 representation. An origin server MAY use that context to guide in 3129 processing the request or to save it for other uses, such as within 3130 source links or versioning metadata. However, an origin server MUST 3131 NOT use such context information to alter the request semantics. 3133 For example, if a client makes a PUT request on a negotiated resource 3134 and the origin server accepts that PUT (without redirection), then 3135 the new state of that resource is expected to be consistent with the 3136 one representation supplied in that PUT; the Content-Location cannot 3137 be used as a form of reverse content selection identifier to update 3138 only one of the negotiated representations. If the user agent had 3139 wanted the latter semantics, it would have applied the PUT directly 3140 to the Content-Location URI. 3142 7.3. Payload 3144 Some HTTP messages transfer a complete or partial representation as 3145 the message "payload". In some cases, a payload might contain only 3146 the associated representation's header fields (e.g., responses to 3147 HEAD) or only some part(s) of the representation data (e.g., the 206 3148 (Partial Content) status code). 3150 Header fields that specifically describe the payload, rather than the 3151 associated representation, are referred to as "payload header 3152 fields". Payload header fields are defined in other parts of this 3153 specification, due to their impact on message parsing. 3155 +-------------------+----------------------------+ 3156 | Field Name | Defined in... | 3157 +-------------------+----------------------------+ 3158 | Content-Range | Section 7.3.4 | 3159 | Trailer | Section 5.6.3 | 3160 | Transfer-Encoding | Section 6.1 of [Messaging] | 3161 +-------------------+----------------------------+ 3163 7.3.1. Purpose 3165 The purpose of a payload in a request is defined by the method 3166 semantics. For example, a representation in the payload of a PUT 3167 request (Section 8.3.4) represents the desired state of the target 3168 resource if the request is successfully applied, whereas a 3169 representation in the payload of a POST request (Section 8.3.3) 3170 represents information to be processed by the target resource. 3172 In a response, the payload's purpose is defined by both the request 3173 method and the response status code. For example, the payload of a 3174 200 (OK) response to GET (Section 8.3.1) represents the current state 3175 of the target resource, as observed at the time of the message 3176 origination date (Section 11.1.1), whereas the payload of the same 3177 status code in a response to POST might represent either the 3178 processing result or the new state of the target resource after 3179 applying the processing. Response messages with an error status code 3180 usually contain a payload that represents the error condition, such 3181 that it describes the error state and what next steps are suggested 3182 for resolving it. 3184 7.3.2. Identification 3186 When a complete or partial representation is transferred in a message 3187 payload, it is often desirable for the sender to supply, or the 3188 recipient to determine, an identifier for a resource corresponding to 3189 that representation. 3191 For a request message: 3193 o If the request has a Content-Location header field, then the 3194 sender asserts that the payload is a representation of the 3195 resource identified by the Content-Location field value. However, 3196 such an assertion cannot be trusted unless it can be verified by 3197 other means (not defined by this specification). The information 3198 might still be useful for revision history links. 3200 o Otherwise, the payload is unidentified. 3202 For a response message, the following rules are applied in order 3203 until a match is found: 3205 1. If the request method is GET or HEAD and the response status code 3206 is 200 (OK), 204 (No Content), 206 (Partial Content), or 304 (Not 3207 Modified), the payload is a representation of the resource 3208 identified by the target URI (Section 6.1). 3210 2. If the request method is GET or HEAD and the response status code 3211 is 203 (Non-Authoritative Information), the payload is a 3212 potentially modified or enhanced representation of the target 3213 resource as provided by an intermediary. 3215 3. If the response has a Content-Location header field and its field 3216 value is a reference to the same URI as the target URI, the 3217 payload is a representation of the target resource. 3219 4. If the response has a Content-Location header field and its field 3220 value is a reference to a URI different from the target URI, then 3221 the sender asserts that the payload is a representation of the 3222 resource identified by the Content-Location field value. 3223 However, such an assertion cannot be trusted unless it can be 3224 verified by other means (not defined by this specification). 3226 5. Otherwise, the payload is unidentified. 3228 7.3.3. Payload Body 3230 The payload body contains the data of a request or response. This is 3231 distinct from the message body (e.g., Section 6 of [Messaging]), 3232 which is how the payload body is transferred "on the wire", and might 3233 be encoded, depending on the HTTP version in use. 3235 It is also distinct from a request or response's representation data 3236 (Section 7.1), which can be inferred from protocol operation, rather 3237 than necessarily appearing "on the wire." 3238 The presence of a payload body in a request depends on whether the 3239 request method used defines semantics for it. 3241 The presence of a payload body in a response depends on both the 3242 request method to which it is responding and the response status code 3243 (Section 10). 3245 Responses to the HEAD request method (Section 8.3.2) never include a 3246 payload body because the associated response header fields indicate 3247 only what their values would have been if the request method had been 3248 GET (Section 8.3.1). 3250 2xx (Successful) responses to a CONNECT request method 3251 (Section 8.3.6) switch the connection to tunnel mode instead of 3252 having a payload body. 3254 All 1xx (Informational), 204 (No Content), and 304 (Not Modified) 3255 responses do not include a payload body. 3257 All other responses do include a payload body, although that body 3258 might be of zero length. 3260 7.3.4. Content-Range 3262 The "Content-Range" header field is sent in a single part 206 3263 (Partial Content) response to indicate the partial range of the 3264 selected representation enclosed as the message payload, sent in each 3265 part of a multipart 206 response to indicate the range enclosed 3266 within each body part, and sent in 416 (Range Not Satisfiable) 3267 responses to provide information about the selected representation. 3269 Content-Range = range-unit SP 3270 ( range-resp / unsatisfied-range ) 3272 range-resp = incl-range "/" ( complete-length / "*" ) 3273 incl-range = first-pos "-" last-pos 3274 unsatisfied-range = "*/" complete-length 3276 complete-length = 1*DIGIT 3278 If a 206 (Partial Content) response contains a Content-Range header 3279 field with a range unit (Section 7.1.4) that the recipient does not 3280 understand, the recipient MUST NOT attempt to recombine it with a 3281 stored representation. A proxy that receives such a message SHOULD 3282 forward it downstream. 3284 For byte ranges, a sender SHOULD indicate the complete length of the 3285 representation from which the range has been extracted, unless the 3286 complete length is unknown or difficult to determine. An asterisk 3287 character ("*") in place of the complete-length indicates that the 3288 representation length was unknown when the header field was 3289 generated. 3291 The following example illustrates when the complete length of the 3292 selected representation is known by the sender to be 1234 bytes: 3294 Content-Range: bytes 42-1233/1234 3296 and this second example illustrates when the complete length is 3297 unknown: 3299 Content-Range: bytes 42-1233/* 3301 A Content-Range field value is invalid if it contains a range-resp 3302 that has a last-pos value less than its first-pos value, or a 3303 complete-length value less than or equal to its last-pos value. The 3304 recipient of an invalid Content-Range MUST NOT attempt to recombine 3305 the received content with a stored representation. 3307 A server generating a 416 (Range Not Satisfiable) response to a byte- 3308 range request SHOULD send a Content-Range header field with an 3309 unsatisfied-range value, as in the following example: 3311 Content-Range: bytes */1234 3313 The complete-length in a 416 response indicates the current length of 3314 the selected representation. 3316 The Content-Range header field has no meaning for status codes that 3317 do not explicitly describe its semantic. For this specification, 3318 only the 206 (Partial Content) and 416 (Range Not Satisfiable) status 3319 codes describe a meaning for Content-Range. 3321 The following are examples of Content-Range values in which the 3322 selected representation contains a total of 1234 bytes: 3324 o The first 500 bytes: 3326 Content-Range: bytes 0-499/1234 3328 o The second 500 bytes: 3330 Content-Range: bytes 500-999/1234 3332 o All except for the first 500 bytes: 3334 Content-Range: bytes 500-1233/1234 3336 o The last 500 bytes: 3338 Content-Range: bytes 734-1233/1234 3340 7.3.5. Media Type multipart/byteranges 3342 When a 206 (Partial Content) response message includes the content of 3343 multiple ranges, they are transmitted as body parts in a multipart 3344 message body ([RFC2046], Section 5.1) with the media type of 3345 "multipart/byteranges". 3347 The multipart/byteranges media type includes one or more body parts, 3348 each with its own Content-Type and Content-Range fields. The 3349 required boundary parameter specifies the boundary string used to 3350 separate each body part. 3352 Implementation Notes: 3354 1. Additional CRLFs might precede the first boundary string in the 3355 body. 3357 2. Although [RFC2046] permits the boundary string to be quoted, some 3358 existing implementations handle a quoted boundary string 3359 incorrectly. 3361 3. A number of clients and servers were coded to an early draft of 3362 the byteranges specification that used a media type of multipart/ 3363 x-byteranges, which is almost (but not quite) compatible with 3364 this type. 3366 Despite the name, the "multipart/byteranges" media type is not 3367 limited to byte ranges. The following example uses an "exampleunit" 3368 range unit: 3370 HTTP/1.1 206 Partial Content 3371 Date: Tue, 14 Nov 1995 06:25:24 GMT 3372 Last-Modified: Tue, 14 July 04:58:08 GMT 3373 Content-Length: 2331785 3374 Content-Type: multipart/byteranges; boundary=THIS_STRING_SEPARATES 3376 --THIS_STRING_SEPARATES 3377 Content-Type: video/example 3378 Content-Range: exampleunit 1.2-4.3/25 3380 ...the first range... 3381 --THIS_STRING_SEPARATES 3382 Content-Type: video/example 3383 Content-Range: exampleunit 11.2-14.3/25 3385 ...the second range 3386 --THIS_STRING_SEPARATES-- 3388 The following information serves as the registration form for the 3389 multipart/byteranges media type. 3391 Type name: multipart 3393 Subtype name: byteranges 3395 Required parameters: boundary 3397 Optional parameters: N/A 3399 Encoding considerations: only "7bit", "8bit", or "binary" are 3400 permitted 3402 Security considerations: see Section 12 3404 Interoperability considerations: N/A 3406 Published specification: This specification (see Section 7.3.5). 3408 Applications that use this media type: HTTP components supporting 3409 multiple ranges in a single request. 3411 Fragment identifier considerations: N/A 3413 Additional information: 3415 Deprecated alias names for this type: N/A 3417 Magic number(s): N/A 3418 File extension(s): N/A 3420 Macintosh file type code(s): N/A 3422 Person and email address to contact for further information: See Aut 3423 hors' Addresses section. 3425 Intended usage: COMMON 3427 Restrictions on usage: N/A 3429 Author: See Authors' Addresses section. 3431 Change controller: IESG 3433 7.4. Content Negotiation 3435 When responses convey payload information, whether indicating a 3436 success or an error, the origin server often has different ways of 3437 representing that information; for example, in different formats, 3438 languages, or encodings. Likewise, different users or user agents 3439 might have differing capabilities, characteristics, or preferences 3440 that could influence which representation, among those available, 3441 would be best to deliver. For this reason, HTTP provides mechanisms 3442 for content negotiation. 3444 This specification defines three patterns of content negotiation that 3445 can be made visible within the protocol: "proactive" negotiation, 3446 where the server selects the representation based upon the user 3447 agent's stated preferences, "reactive" negotiation, where the server 3448 provides a list of representations for the user agent to choose from, 3449 and "request payload" negotiation, where the user agent selects the 3450 representation for a future request based upon the server's stated 3451 preferences in past responses. Other patterns of content negotiation 3452 include "conditional content", where the representation consists of 3453 multiple parts that are selectively rendered based on user agent 3454 parameters, "active content", where the representation contains a 3455 script that makes additional (more specific) requests based on the 3456 user agent characteristics, and "Transparent Content Negotiation" 3457 ([RFC2295]), where content selection is performed by an intermediary. 3458 These patterns are not mutually exclusive, and each has trade-offs in 3459 applicability and practicality. 3461 Note that, in all cases, HTTP is not aware of the resource semantics. 3462 The consistency with which an origin server responds to requests, 3463 over time and over the varying dimensions of content negotiation, and 3464 thus the "sameness" of a resource's observed representations over 3465 time, is determined entirely by whatever entity or algorithm selects 3466 or generates those responses. 3468 7.4.1. Proactive Negotiation 3470 When content negotiation preferences are sent by the user agent in a 3471 request to encourage an algorithm located at the server to select the 3472 preferred representation, it is called proactive negotiation (a.k.a., 3473 server-driven negotiation). Selection is based on the available 3474 representations for a response (the dimensions over which it might 3475 vary, such as language, content-coding, etc.) compared to various 3476 information supplied in the request, including both the explicit 3477 negotiation fields of Section 9.4 and implicit characteristics, such 3478 as the client's network address or parts of the User-Agent field. 3480 Proactive negotiation is advantageous when the algorithm for 3481 selecting from among the available representations is difficult to 3482 describe to a user agent, or when the server desires to send its 3483 "best guess" to the user agent along with the first response (hoping 3484 to avoid the round trip delay of a subsequent request if the "best 3485 guess" is good enough for the user). In order to improve the 3486 server's guess, a user agent MAY send request header fields that 3487 describe its preferences. 3489 Proactive negotiation has serious disadvantages: 3491 o It is impossible for the server to accurately determine what might 3492 be "best" for any given user, since that would require complete 3493 knowledge of both the capabilities of the user agent and the 3494 intended use for the response (e.g., does the user want to view it 3495 on screen or print it on paper?); 3497 o Having the user agent describe its capabilities in every request 3498 can be both very inefficient (given that only a small percentage 3499 of responses have multiple representations) and a potential risk 3500 to the user's privacy; 3502 o It complicates the implementation of an origin server and the 3503 algorithms for generating responses to a request; and, 3505 o It limits the reusability of responses for shared caching. 3507 A user agent cannot rely on proactive negotiation preferences being 3508 consistently honored, since the origin server might not implement 3509 proactive negotiation for the requested resource or might decide that 3510 sending a response that doesn't conform to the user agent's 3511 preferences is better than sending a 406 (Not Acceptable) response. 3513 A Vary header field (Section 11.1.4) is often sent in a response 3514 subject to proactive negotiation to indicate what parts of the 3515 request information were used in the selection algorithm. 3517 7.4.2. Reactive Negotiation 3519 With reactive negotiation (a.k.a., agent-driven negotiation), 3520 selection of the best response representation (regardless of the 3521 status code) is performed by the user agent after receiving an 3522 initial response from the origin server that contains a list of 3523 resources for alternative representations. If the user agent is not 3524 satisfied by the initial response representation, it can perform a 3525 GET request on one or more of the alternative resources, selected 3526 based on metadata included in the list, to obtain a different form of 3527 representation for that response. Selection of alternatives might be 3528 performed automatically by the user agent or manually by the user 3529 selecting from a generated (possibly hypertext) menu. 3531 Note that the above refers to representations of the response, in 3532 general, not representations of the resource. The alternative 3533 representations are only considered representations of the target 3534 resource if the response in which those alternatives are provided has 3535 the semantics of being a representation of the target resource (e.g., 3536 a 200 (OK) response to a GET request) or has the semantics of 3537 providing links to alternative representations for the target 3538 resource (e.g., a 300 (Multiple Choices) response to a GET request). 3540 A server might choose not to send an initial representation, other 3541 than the list of alternatives, and thereby indicate that reactive 3542 negotiation by the user agent is preferred. For example, the 3543 alternatives listed in responses with the 300 (Multiple Choices) and 3544 406 (Not Acceptable) status codes include information about the 3545 available representations so that the user or user agent can react by 3546 making a selection. 3548 Reactive negotiation is advantageous when the response would vary 3549 over commonly used dimensions (such as type, language, or encoding), 3550 when the origin server is unable to determine a user agent's 3551 capabilities from examining the request, and generally when public 3552 caches are used to distribute server load and reduce network usage. 3554 Reactive negotiation suffers from the disadvantages of transmitting a 3555 list of alternatives to the user agent, which degrades user-perceived 3556 latency if transmitted in the header section, and needing a second 3557 request to obtain an alternate representation. Furthermore, this 3558 specification does not define a mechanism for supporting automatic 3559 selection, though it does not prevent such a mechanism from being 3560 developed as an extension. 3562 7.4.3. Request Payload Negotiation 3564 When content negotiation preferences are sent in a server's response, 3565 the listed preferences are called request payload negotiation because 3566 they intend to influence selection of an appropriate payload for 3567 subsequent requests to that resource. For example, the Accept- 3568 Encoding field (Section 9.4.3) can be sent in a response to indicate 3569 preferred content codings for subsequent requests to that resource 3570 [RFC7694]. 3572 Similarly, Section 3.1 of [RFC5789] defines the "Accept-Patch" 3573 response header field which allows discovery of which content 3574 types are accepted in PATCH requests. 3576 7.4.4. Quality Values 3578 The content negotiation fields defined by this specification use a 3579 common parameter, named "q" (case-insensitive), to assign a relative 3580 "weight" to the preference for that associated kind of content. This 3581 weight is referred to as a "quality value" (or "qvalue") because the 3582 same parameter name is often used within server configurations to 3583 assign a weight to the relative quality of the various 3584 representations that can be selected for a resource. 3586 The weight is normalized to a real number in the range 0 through 1, 3587 where 0.001 is the least preferred and 1 is the most preferred; a 3588 value of 0 means "not acceptable". If no "q" parameter is present, 3589 the default weight is 1. 3591 weight = OWS ";" OWS "q=" qvalue 3592 qvalue = ( "0" [ "." 0*3DIGIT ] ) 3593 / ( "1" [ "." 0*3("0") ] ) 3595 A sender of qvalue MUST NOT generate more than three digits after the 3596 decimal point. User configuration of these values ought to be 3597 limited in the same fashion. 3599 8. Request Methods 3601 8.1. Overview 3603 The request method token is the primary source of request semantics; 3604 it indicates the purpose for which the client has made this request 3605 and what is expected by the client as a successful result. 3607 The request method's semantics might be further specialized by the 3608 semantics of some header fields when present in a request (Section 9) 3609 if those additional semantics do not conflict with the method. For 3610 example, a client can send conditional request header fields 3611 (Section 9.2) to make the requested action conditional on the current 3612 state of the target resource. 3614 method = token 3616 HTTP was originally designed to be usable as an interface to 3617 distributed object systems. The request method was envisioned as 3618 applying semantics to a target resource in much the same way as 3619 invoking a defined method on an identified object would apply 3620 semantics. 3622 The method token is case-sensitive because it might be used as a 3623 gateway to object-based systems with case-sensitive method names. By 3624 convention, standardized methods are defined in all-uppercase US- 3625 ASCII letters. 3627 Unlike distributed objects, the standardized request methods in HTTP 3628 are not resource-specific, since uniform interfaces provide for 3629 better visibility and reuse in network-based systems [REST]. Once 3630 defined, a standardized method ought to have the same semantics when 3631 applied to any resource, though each resource determines for itself 3632 whether those semantics are implemented or allowed. 3634 This specification defines a number of standardized methods that are 3635 commonly used in HTTP, as outlined by the following table. 3637 +---------+-------------------------------------------------+-------+ 3638 | Method | Description | Sec. | 3639 +---------+-------------------------------------------------+-------+ 3640 | GET | Transfer a current representation of the target | 8.3.1 | 3641 | | resource. | | 3642 | HEAD | Same as GET, but do not transfer the response | 8.3.2 | 3643 | | body. | | 3644 | POST | Perform resource-specific processing on the | 8.3.3 | 3645 | | request payload. | | 3646 | PUT | Replace all current representations of the | 8.3.4 | 3647 | | target resource with the request payload. | | 3648 | DELETE | Remove all current representations of the | 8.3.5 | 3649 | | target resource. | | 3650 | CONNECT | Establish a tunnel to the server identified by | 8.3.6 | 3651 | | the target resource. | | 3652 | OPTIONS | Describe the communication options for the | 8.3.7 | 3653 | | target resource. | | 3654 | TRACE | Perform a message loop-back test along the path | 8.3.8 | 3655 | | to the target resource. | | 3656 +---------+-------------------------------------------------+-------+ 3658 Table 4 3660 All general-purpose servers MUST support the methods GET and HEAD. 3661 All other methods are OPTIONAL. 3663 The set of methods allowed by a target resource can be listed in an 3664 Allow header field (Section 11.4.2). However, the set of allowed 3665 methods can change dynamically. When a request method is received 3666 that is unrecognized or not implemented by an origin server, the 3667 origin server SHOULD respond with the 501 (Not Implemented) status 3668 code. When a request method is received that is known by an origin 3669 server but not allowed for the target resource, the origin server 3670 SHOULD respond with the 405 (Method Not Allowed) status code. 3672 8.2. Common Method Properties 3673 +---------+------+------------+----------------+ 3674 | Method | Safe | Idempotent | Reference | 3675 +---------+------+------------+----------------+ 3676 | CONNECT | no | no | Section 8.3.6 | 3677 | DELETE | no | yes | Section 8.3.5 | 3678 | GET | yes | yes | Section 8.3.1 | 3679 | HEAD | yes | yes | Section 8.3.2 | 3680 | OPTIONS | yes | yes | Section 8.3.7 | 3681 | POST | no | no | Section 8.3.3 | 3682 | PUT | no | yes | Section 8.3.4 | 3683 | TRACE | yes | yes | Section 8.3.8 | 3684 +---------+------+------------+----------------+ 3686 Table 5 3688 8.2.1. Safe Methods 3690 Request methods are considered "safe" if their defined semantics are 3691 essentially read-only; i.e., the client does not request, and does 3692 not expect, any state change on the origin server as a result of 3693 applying a safe method to a target resource. Likewise, reasonable 3694 use of a safe method is not expected to cause any harm, loss of 3695 property, or unusual burden on the origin server. 3697 This definition of safe methods does not prevent an implementation 3698 from including behavior that is potentially harmful, that is not 3699 entirely read-only, or that causes side effects while invoking a safe 3700 method. What is important, however, is that the client did not 3701 request that additional behavior and cannot be held accountable for 3702 it. For example, most servers append request information to access 3703 log files at the completion of every response, regardless of the 3704 method, and that is considered safe even though the log storage might 3705 become full and crash the server. Likewise, a safe request initiated 3706 by selecting an advertisement on the Web will often have the side 3707 effect of charging an advertising account. 3709 Of the request methods defined by this specification, the GET, HEAD, 3710 OPTIONS, and TRACE methods are defined to be safe. 3712 The purpose of distinguishing between safe and unsafe methods is to 3713 allow automated retrieval processes (spiders) and cache performance 3714 optimization (pre-fetching) to work without fear of causing harm. In 3715 addition, it allows a user agent to apply appropriate constraints on 3716 the automated use of unsafe methods when processing potentially 3717 untrusted content. 3719 A user agent SHOULD distinguish between safe and unsafe methods when 3720 presenting potential actions to a user, such that the user can be 3721 made aware of an unsafe action before it is requested. 3723 When a resource is constructed such that parameters within the target 3724 URI have the effect of selecting an action, it is the resource 3725 owner's responsibility to ensure that the action is consistent with 3726 the request method semantics. For example, it is common for Web- 3727 based content editing software to use actions within query 3728 parameters, such as "page?do=delete". If the purpose of such a 3729 resource is to perform an unsafe action, then the resource owner MUST 3730 disable or disallow that action when it is accessed using a safe 3731 request method. Failure to do so will result in unfortunate side 3732 effects when automated processes perform a GET on every URI reference 3733 for the sake of link maintenance, pre-fetching, building a search 3734 index, etc. 3736 8.2.2. Idempotent Methods 3738 A request method is considered "idempotent" if the intended effect on 3739 the server of multiple identical requests with that method is the 3740 same as the effect for a single such request. Of the request methods 3741 defined by this specification, PUT, DELETE, and safe request methods 3742 are idempotent. 3744 Like the definition of safe, the idempotent property only applies to 3745 what has been requested by the user; a server is free to log each 3746 request separately, retain a revision control history, or implement 3747 other non-idempotent side effects for each idempotent request. 3749 Idempotent methods are distinguished because the request can be 3750 repeated automatically if a communication failure occurs before the 3751 client is able to read the server's response. For example, if a 3752 client sends a PUT request and the underlying connection is closed 3753 before any response is received, then the client can establish a new 3754 connection and retry the idempotent request. It knows that repeating 3755 the request will have the same intended effect, even if the original 3756 request succeeded, though the response might differ. 3758 A client SHOULD NOT automatically retry a request with a non- 3759 idempotent method unless it has some means to know that the request 3760 semantics are actually idempotent, regardless of the method, or some 3761 means to detect that the original request was never applied. 3763 For example, a user agent that knows (through design or 3764 configuration) that a POST request to a given resource is safe can 3765 repeat that request automatically. Likewise, a user agent designed 3766 specifically to operate on a version control repository might be able 3767 to recover from partial failure conditions by checking the target 3768 resource revision(s) after a failed connection, reverting or fixing 3769 any changes that were partially applied, and then automatically 3770 retrying the requests that failed. 3772 Some clients use weaker signals to initiate automatic retries. For 3773 example, when a POST request is sent, but the underlying transport 3774 connection is closed before any part of the response is received. 3775 Although this is commonly implemented, it is not recommended. 3777 A proxy MUST NOT automatically retry non-idempotent requests. A 3778 client SHOULD NOT automatically retry a failed automatic retry. 3780 8.2.3. Methods and Caching 3782 For a cache to store and use a response, the associated method needs 3783 to explicitly allow caching, and detail under what conditions a 3784 response can be used to satisfy subsequent requests; a method 3785 definition which does not do so cannot be cached. For additional 3786 requirements see [Caching]. 3788 This specification defines caching semantics for GET, HEAD, and POST, 3789 although the overwhelming majority of cache implementations only 3790 support GET and HEAD. 3792 8.3. Method Definitions 3794 8.3.1. GET 3796 The GET method requests transfer of a current selected representation 3797 for the target resource. GET is the primary mechanism of information 3798 retrieval and the focus of almost all performance optimizations. 3799 Hence, when people speak of retrieving some identifiable information 3800 via HTTP, they are generally referring to making a GET request. 3802 The GET method is specifically intended to reflect the quality of 3803 "sameness" identified by the request URI as if it were referenced as 3804 an ordinary hypertext link. 3806 It is tempting to think of resource identifiers as remote file system 3807 pathnames and of representations as being a copy of the contents of 3808 such files. In fact, that is how many resources are implemented (see 3809 Section 12.3 for related security considerations). However, there 3810 are no such limitations in practice. The HTTP interface for a 3811 resource is just as likely to be implemented as a tree of content 3812 objects, a programmatic view on various database records, or a 3813 gateway to other information systems. Even when the URI mapping 3814 mechanism is tied to a file system, an origin server might be 3815 configured to execute the files with the request as input and send 3816 the output as the representation rather than transfer the files 3817 directly. Regardless, only the origin server needs to know how each 3818 of its resource identifiers corresponds to an implementation and how 3819 each implementation manages to select and send a current 3820 representation of the target resource in a response to GET. 3822 A client can alter the semantics of GET to be a "range request", 3823 requesting transfer of only some part(s) of the selected 3824 representation, by sending a Range header field in the request 3825 (Section 9.3). 3827 A client SHOULD NOT generate a body in a GET request. A payload 3828 received in a GET request has no defined semantics, cannot alter the 3829 meaning or target of the request, and might lead some implementations 3830 to reject the request and close the connection because of its 3831 potential as a request smuggling attack (Section 11.2 of 3832 [Messaging]). 3834 The response to a GET request is cacheable; a cache MAY use it to 3835 satisfy subsequent GET and HEAD requests unless otherwise indicated 3836 by the Cache-Control header field (Section 5.2 of [Caching]). A 3837 cache that receives a payload in a GET request is likely to ignore 3838 that payload and cache regardless of the payload contents. 3840 8.3.2. HEAD 3842 The HEAD method is identical to GET except that the server MUST NOT 3843 send a message body in the response (i.e., the response terminates at 3844 the end of the header section). The server SHOULD send the same 3845 header fields in response to a HEAD request as it would have sent if 3846 the request had been a GET, except that the payload header fields 3847 (Section 7.3) MAY be omitted. This method can be used for obtaining 3848 metadata about the selected representation without transferring the 3849 representation data and is often used for testing hypertext links for 3850 validity, accessibility, and recent modification. 3852 A payload within a HEAD request message has no defined semantics; 3853 sending a payload body on a HEAD request might cause some existing 3854 implementations to reject the request. 3856 The response to a HEAD request is cacheable; a cache MAY use it to 3857 satisfy subsequent HEAD requests unless otherwise indicated by the 3858 Cache-Control header field (Section 5.2 of [Caching]). A HEAD 3859 response might also have an effect on previously cached responses to 3860 GET; see Section 4.3.5 of [Caching]. 3862 8.3.3. POST 3864 The POST method requests that the target resource process the 3865 representation enclosed in the request according to the resource's 3866 own specific semantics. For example, POST is used for the following 3867 functions (among others): 3869 o Providing a block of data, such as the fields entered into an HTML 3870 form, to a data-handling process; 3872 o Posting a message to a bulletin board, newsgroup, mailing list, 3873 blog, or similar group of articles; 3875 o Creating a new resource that has yet to be identified by the 3876 origin server; and 3878 o Appending data to a resource's existing representation(s). 3880 An origin server indicates response semantics by choosing an 3881 appropriate status code depending on the result of processing the 3882 POST request; almost all of the status codes defined by this 3883 specification might be received in a response to POST (the exceptions 3884 being 206 (Partial Content), 304 (Not Modified), and 416 (Range Not 3885 Satisfiable)). 3887 If one or more resources has been created on the origin server as a 3888 result of successfully processing a POST request, the origin server 3889 SHOULD send a 201 (Created) response containing a Location header 3890 field that provides an identifier for the primary resource created 3891 (Section 11.1.2) and a representation that describes the status of 3892 the request while referring to the new resource(s). 3894 Responses to POST requests are only cacheable when they include 3895 explicit freshness information (see Section 4.2.1 of [Caching]) and a 3896 Content-Location header field that has the same value as the POST's 3897 target URI (Section 7.2.5). A cached POST response can be reused to 3898 satisfy a later GET or HEAD request, but not a POST request, since 3899 POST is required to be written through to the origin server, because 3900 it is unsafe; see Section 4 of [Caching]. 3902 If the result of processing a POST would be equivalent to a 3903 representation of an existing resource, an origin server MAY redirect 3904 the user agent to that resource by sending a 303 (See Other) response 3905 with the existing resource's identifier in the Location field. This 3906 has the benefits of providing the user agent a resource identifier 3907 and transferring the representation via a method more amenable to 3908 shared caching, though at the cost of an extra request if the user 3909 agent does not already have the representation cached. 3911 8.3.4. PUT 3913 The PUT method requests that the state of the target resource be 3914 created or replaced with the state defined by the representation 3915 enclosed in the request message payload. A successful PUT of a given 3916 representation would suggest that a subsequent GET on that same 3917 target resource will result in an equivalent representation being 3918 sent in a 200 (OK) response. However, there is no guarantee that 3919 such a state change will be observable, since the target resource 3920 might be acted upon by other user agents in parallel, or might be 3921 subject to dynamic processing by the origin server, before any 3922 subsequent GET is received. A successful response only implies that 3923 the user agent's intent was achieved at the time of its processing by 3924 the origin server. 3926 If the target resource does not have a current representation and the 3927 PUT successfully creates one, then the origin server MUST inform the 3928 user agent by sending a 201 (Created) response. If the target 3929 resource does have a current representation and that representation 3930 is successfully modified in accordance with the state of the enclosed 3931 representation, then the origin server MUST send either a 200 (OK) or 3932 a 204 (No Content) response to indicate successful completion of the 3933 request. 3935 An origin server SHOULD ignore unrecognized header and trailer fields 3936 received in a PUT request (i.e., do not save them as part of the 3937 resource state). 3939 An origin server SHOULD verify that the PUT representation is 3940 consistent with any constraints the server has for the target 3941 resource that cannot or will not be changed by the PUT. This is 3942 particularly important when the origin server uses internal 3943 configuration information related to the URI in order to set the 3944 values for representation metadata on GET responses. When a PUT 3945 representation is inconsistent with the target resource, the origin 3946 server SHOULD either make them consistent, by transforming the 3947 representation or changing the resource configuration, or respond 3948 with an appropriate error message containing sufficient information 3949 to explain why the representation is unsuitable. The 409 (Conflict) 3950 or 415 (Unsupported Media Type) status codes are suggested, with the 3951 latter being specific to constraints on Content-Type values. 3953 For example, if the target resource is configured to always have a 3954 Content-Type of "text/html" and the representation being PUT has a 3955 Content-Type of "image/jpeg", the origin server ought to do one of: 3957 a. reconfigure the target resource to reflect the new media type; 3958 b. transform the PUT representation to a format consistent with that 3959 of the resource before saving it as the new resource state; or, 3961 c. reject the request with a 415 (Unsupported Media Type) response 3962 indicating that the target resource is limited to "text/html", 3963 perhaps including a link to a different resource that would be a 3964 suitable target for the new representation. 3966 HTTP does not define exactly how a PUT method affects the state of an 3967 origin server beyond what can be expressed by the intent of the user 3968 agent request and the semantics of the origin server response. It 3969 does not define what a resource might be, in any sense of that word, 3970 beyond the interface provided via HTTP. It does not define how 3971 resource state is "stored", nor how such storage might change as a 3972 result of a change in resource state, nor how the origin server 3973 translates resource state into representations. Generally speaking, 3974 all implementation details behind the resource interface are 3975 intentionally hidden by the server. 3977 An origin server MUST NOT send a validator header field 3978 (Section 11.2), such as an ETag or Last-Modified field, in a 3979 successful response to PUT unless the request's representation data 3980 was saved without any transformation applied to the body (i.e., the 3981 resource's new representation data is identical to the representation 3982 data received in the PUT request) and the validator field value 3983 reflects the new representation. This requirement allows a user 3984 agent to know when the representation body it has in memory remains 3985 current as a result of the PUT, thus not in need of being retrieved 3986 again from the origin server, and that the new validator(s) received 3987 in the response can be used for future conditional requests in order 3988 to prevent accidental overwrites (Section 9.2). 3990 The fundamental difference between the POST and PUT methods is 3991 highlighted by the different intent for the enclosed representation. 3992 The target resource in a POST request is intended to handle the 3993 enclosed representation according to the resource's own semantics, 3994 whereas the enclosed representation in a PUT request is defined as 3995 replacing the state of the target resource. Hence, the intent of PUT 3996 is idempotent and visible to intermediaries, even though the exact 3997 effect is only known by the origin server. 3999 Proper interpretation of a PUT request presumes that the user agent 4000 knows which target resource is desired. A service that selects a 4001 proper URI on behalf of the client, after receiving a state-changing 4002 request, SHOULD be implemented using the POST method rather than PUT. 4003 If the origin server will not make the requested PUT state change to 4004 the target resource and instead wishes to have it applied to a 4005 different resource, such as when the resource has been moved to a 4006 different URI, then the origin server MUST send an appropriate 3xx 4007 (Redirection) response; the user agent MAY then make its own decision 4008 regarding whether or not to redirect the request. 4010 A PUT request applied to the target resource can have side effects on 4011 other resources. For example, an article might have a URI for 4012 identifying "the current version" (a resource) that is separate from 4013 the URIs identifying each particular version (different resources 4014 that at one point shared the same state as the current version 4015 resource). A successful PUT request on "the current version" URI 4016 might therefore create a new version resource in addition to changing 4017 the state of the target resource, and might also cause links to be 4018 added between the related resources. 4020 An origin server that allows PUT on a given target resource MUST send 4021 a 400 (Bad Request) response to a PUT request that contains a 4022 Content-Range header field (Section 7.3.4), since the payload is 4023 likely to be partial content that has been mistakenly PUT as a full 4024 representation. Partial content updates are possible by targeting a 4025 separately identified resource with state that overlaps a portion of 4026 the larger resource, or by using a different method that has been 4027 specifically defined for partial updates (for example, the PATCH 4028 method defined in [RFC5789]). 4030 Responses to the PUT method are not cacheable. If a successful PUT 4031 request passes through a cache that has one or more stored responses 4032 for the target URI, those stored responses will be invalidated (see 4033 Section 4.4 of [Caching]). 4035 8.3.5. DELETE 4037 The DELETE method requests that the origin server remove the 4038 association between the target resource and its current 4039 functionality. In effect, this method is similar to the rm command 4040 in UNIX: it expresses a deletion operation on the URI mapping of the 4041 origin server rather than an expectation that the previously 4042 associated information be deleted. 4044 If the target resource has one or more current representations, they 4045 might or might not be destroyed by the origin server, and the 4046 associated storage might or might not be reclaimed, depending 4047 entirely on the nature of the resource and its implementation by the 4048 origin server (which are beyond the scope of this specification). 4049 Likewise, other implementation aspects of a resource might need to be 4050 deactivated or archived as a result of a DELETE, such as database or 4051 gateway connections. In general, it is assumed that the origin 4052 server will only allow DELETE on resources for which it has a 4053 prescribed mechanism for accomplishing the deletion. 4055 Relatively few resources allow the DELETE method -- its primary use 4056 is for remote authoring environments, where the user has some 4057 direction regarding its effect. For example, a resource that was 4058 previously created using a PUT request, or identified via the 4059 Location header field after a 201 (Created) response to a POST 4060 request, might allow a corresponding DELETE request to undo those 4061 actions. Similarly, custom user agent implementations that implement 4062 an authoring function, such as revision control clients using HTTP 4063 for remote operations, might use DELETE based on an assumption that 4064 the server's URI space has been crafted to correspond to a version 4065 repository. 4067 If a DELETE method is successfully applied, the origin server SHOULD 4068 send 4070 o a 202 (Accepted) status code if the action will likely succeed but 4071 has not yet been enacted, 4073 o a 204 (No Content) status code if the action has been enacted and 4074 no further information is to be supplied, or 4076 o a 200 (OK) status code if the action has been enacted and the 4077 response message includes a representation describing the status. 4079 A client SHOULD NOT generate a body in a DELETE request. A payload 4080 received in a DELETE request has no defined semantics, cannot alter 4081 the meaning or target of the request, and might lead some 4082 implementations to reject the request. 4084 Responses to the DELETE method are not cacheable. If a successful 4085 DELETE request passes through a cache that has one or more stored 4086 responses for the target URI, those stored responses will be 4087 invalidated (see Section 4.4 of [Caching]). 4089 8.3.6. CONNECT 4091 The CONNECT method requests that the recipient establish a tunnel to 4092 the destination origin server identified by the request target and, 4093 if successful, thereafter restrict its behavior to blind forwarding 4094 of data, in both directions, until the tunnel is closed. Tunnels are 4095 commonly used to create an end-to-end virtual connection, through one 4096 or more proxies, which can then be secured using TLS (Transport Layer 4097 Security, [RFC8446]). 4099 Because CONNECT changes the request/response nature of an HTTP 4100 connection, specific HTTP versions might have different ways of 4101 mapping its semantics into the protocol's wire format. 4103 CONNECT is intended only for use in requests to a proxy. An origin 4104 server that receives a CONNECT request for itself MAY respond with a 4105 2xx (Successful) status code to indicate that a connection is 4106 established. However, most origin servers do not implement CONNECT. 4108 A client sending a CONNECT request MUST send the authority component 4109 (described in Section 3.2 of [RFC3986]) as the request target; i.e., 4110 the request target consists of only the host name and port number of 4111 the tunnel destination, separated by a colon. For example, 4113 CONNECT server.example.com:80 HTTP/1.1 4114 Host: server.example.com:80 4116 The recipient proxy can establish a tunnel either by directly 4117 connecting to the request target or, if configured to use another 4118 proxy, by forwarding the CONNECT request to the next inbound proxy. 4119 Any 2xx (Successful) response indicates that the sender (and all 4120 inbound proxies) will switch to tunnel mode immediately after the 4121 blank line that concludes the successful response's header section; 4122 data received after that blank line is from the server identified by 4123 the request target. Any response other than a successful response 4124 indicates that the tunnel has not yet been formed and that the 4125 connection remains governed by HTTP. 4127 A tunnel is closed when a tunnel intermediary detects that either 4128 side has closed its connection: the intermediary MUST attempt to send 4129 any outstanding data that came from the closed side to the other 4130 side, close both connections, and then discard any remaining data 4131 left undelivered. 4133 Proxy authentication might be used to establish the authority to 4134 create a tunnel. For example, 4136 CONNECT server.example.com:80 HTTP/1.1 4137 Host: server.example.com:80 4138 Proxy-Authorization: basic aGVsbG86d29ybGQ= 4140 There are significant risks in establishing a tunnel to arbitrary 4141 servers, particularly when the destination is a well-known or 4142 reserved TCP port that is not intended for Web traffic. For example, 4143 a CONNECT to "example.com:25" would suggest that the proxy connect to 4144 the reserved port for SMTP traffic; if allowed, that could trick the 4145 proxy into relaying spam email. Proxies that support CONNECT SHOULD 4146 restrict its use to a limited set of known ports or a configurable 4147 whitelist of safe request targets. 4149 A server MUST NOT send any Transfer-Encoding or Content-Length header 4150 fields in a 2xx (Successful) response to CONNECT. A client MUST 4151 ignore any Content-Length or Transfer-Encoding header fields received 4152 in a successful response to CONNECT. 4154 A payload within a CONNECT request message has no defined semantics; 4155 sending a payload body on a CONNECT request might cause some existing 4156 implementations to reject the request. 4158 Responses to the CONNECT method are not cacheable. 4160 8.3.7. OPTIONS 4162 The OPTIONS method requests information about the communication 4163 options available for the target resource, at either the origin 4164 server or an intervening intermediary. This method allows a client 4165 to determine the options and/or requirements associated with a 4166 resource, or the capabilities of a server, without implying a 4167 resource action. 4169 An OPTIONS request with an asterisk ("*") as the request target 4170 (Section 6.1) applies to the server in general rather than to a 4171 specific resource. Since a server's communication options typically 4172 depend on the resource, the "*" request is only useful as a "ping" or 4173 "no-op" type of method; it does nothing beyond allowing the client to 4174 test the capabilities of the server. For example, this can be used 4175 to test a proxy for HTTP/1.1 conformance (or lack thereof). 4177 If the request target is not an asterisk, the OPTIONS request applies 4178 to the options that are available when communicating with the target 4179 resource. 4181 A server generating a successful response to OPTIONS SHOULD send any 4182 header that might indicate optional features implemented by the 4183 server and applicable to the target resource (e.g., Allow), including 4184 potential extensions not defined by this specification. The response 4185 payload, if any, might also describe the communication options in a 4186 machine or human-readable representation. A standard format for such 4187 a representation is not defined by this specification, but might be 4188 defined by future extensions to HTTP. 4190 A client MAY send a Max-Forwards header field in an OPTIONS request 4191 to target a specific recipient in the request chain (see 4192 Section 9.1.2). A proxy MUST NOT generate a Max-Forwards header 4193 field while forwarding a request unless that request was received 4194 with a Max-Forwards field. 4196 A client that generates an OPTIONS request containing a payload body 4197 MUST send a valid Content-Type header field describing the 4198 representation media type. Note that this specification does not 4199 define any use for such a payload. 4201 Responses to the OPTIONS method are not cacheable. 4203 8.3.8. TRACE 4205 The TRACE method requests a remote, application-level loop-back of 4206 the request message. The final recipient of the request SHOULD 4207 reflect the message received, excluding some fields described below, 4208 back to the client as the message body of a 200 (OK) response with a 4209 Content-Type of "message/http" (Section 10.1 of [Messaging]). The 4210 final recipient is either the origin server or the first server to 4211 receive a Max-Forwards value of zero (0) in the request 4212 (Section 9.1.2). 4214 A client MUST NOT generate fields in a TRACE request containing 4215 sensitive data that might be disclosed by the response. For example, 4216 it would be foolish for a user agent to send stored user credentials 4217 Section 9.5 or cookies [RFC6265] in a TRACE request. The final 4218 recipient of the request SHOULD exclude any request fields that are 4219 likely to contain sensitive data when that recipient generates the 4220 response body. 4222 TRACE allows the client to see what is being received at the other 4223 end of the request chain and use that data for testing or diagnostic 4224 information. The value of the Via header field (Section 6.7.1) is of 4225 particular interest, since it acts as a trace of the request chain. 4226 Use of the Max-Forwards header field allows the client to limit the 4227 length of the request chain, which is useful for testing a chain of 4228 proxies forwarding messages in an infinite loop. 4230 A client MUST NOT send a message body in a TRACE request. 4232 Responses to the TRACE method are not cacheable. 4234 8.4. Method Extensibility 4236 Additional methods, outside the scope of this specification, have 4237 been specified for use in HTTP. All such methods ought to be 4238 registered within the "Hypertext Transfer Protocol (HTTP) Method 4239 Registry". 4241 8.4.1. Method Registry 4243 The "Hypertext Transfer Protocol (HTTP) Method Registry", maintained 4244 by IANA at , registers 4245 method names. 4247 HTTP method registrations MUST include the following fields: 4249 o Method Name (see Section 8) 4251 o Safe ("yes" or "no", see Section 8.2.1) 4253 o Idempotent ("yes" or "no", see Section 8.2.2) 4255 o Pointer to specification text 4257 Values to be added to this namespace require IETF Review (see 4258 [RFC8126], Section 4.8). 4260 8.4.2. Considerations for New Methods 4262 Standardized methods are generic; that is, they are potentially 4263 applicable to any resource, not just one particular media type, kind 4264 of resource, or application. As such, it is preferred that new 4265 methods be registered in a document that isn't specific to a single 4266 application or data format, since orthogonal technologies deserve 4267 orthogonal specification. 4269 Since message parsing (Section 6 of [Messaging]) needs to be 4270 independent of method semantics (aside from responses to HEAD), 4271 definitions of new methods cannot change the parsing algorithm or 4272 prohibit the presence of a message body on either the request or the 4273 response message. Definitions of new methods can specify that only a 4274 zero-length message body is allowed by requiring a Content-Length 4275 header field with a value of "0". 4277 A new method definition needs to indicate whether it is safe 4278 (Section 8.2.1), idempotent (Section 8.2.2), cacheable 4279 (Section 8.2.3), what semantics are to be associated with the payload 4280 body if any is present in the request and what refinements the method 4281 makes to header field or status code semantics. If the new method is 4282 cacheable, its definition ought to describe how, and under what 4283 conditions, a cache can store a response and use it to satisfy a 4284 subsequent request. The new method ought to describe whether it can 4285 be made conditional (Section 9.2) and, if so, how a server responds 4286 when the condition is false. Likewise, if the new method might have 4287 some use for partial response semantics (Section 9.3), it ought to 4288 document this, too. 4290 Note: Avoid defining a method name that starts with "M-", since 4291 that prefix might be misinterpreted as having the semantics 4292 assigned to it by [RFC2774]. 4294 9. Request Header Fields 4296 A client sends request header fields to provide more information 4297 about the request context, make the request conditional based on the 4298 target resource state, suggest preferred formats for the response, 4299 supply authentication credentials, or modify the expected request 4300 processing. These fields act as request modifiers, similar to the 4301 parameters on a programming language method invocation. 4303 9.1. Controls 4305 Controls are request header fields that direct specific handling of 4306 the request. 4308 +---------------+----------------------------+ 4309 | Field Name | Defined in... | 4310 +---------------+----------------------------+ 4311 | Cache-Control | Section 5.2 of [Caching] | 4312 | Expect | Section 9.1.1 | 4313 | Host | Section 6.6 | 4314 | Max-Forwards | Section 9.1.2 | 4315 | Pragma | Section 5.4 of [Caching] | 4316 | TE | Section 7.4 of [Messaging] | 4317 +---------------+----------------------------+ 4319 9.1.1. Expect 4321 The "Expect" header field in a request indicates a certain set of 4322 behaviors (expectations) that need to be supported by the server in 4323 order to properly handle this request. The only such expectation 4324 defined by this specification is 100-continue. 4326 Expect = "100-continue" 4328 The Expect field value is case-insensitive. 4330 A server that receives an Expect field value other than 100-continue 4331 MAY respond with a 417 (Expectation Failed) status code to indicate 4332 that the unexpected expectation cannot be met. 4334 A 100-continue expectation informs recipients that the client is 4335 about to send a (presumably large) message body in this request and 4336 wishes to receive a 100 (Continue) interim response if the method, 4337 target URI, and header fields are not sufficient to cause an 4338 immediate success, redirect, or error response. This allows the 4339 client to wait for an indication that it is worthwhile to send the 4340 message body before actually doing so, which can improve efficiency 4341 when the message body is huge or when the client anticipates that an 4342 error is likely (e.g., when sending a state-changing method, for the 4343 first time, without previously verified authentication credentials). 4345 For example, a request that begins with 4347 PUT /somewhere/fun HTTP/1.1 4348 Host: origin.example.com 4349 Content-Type: video/h264 4350 Content-Length: 1234567890987 4351 Expect: 100-continue 4353 allows the origin server to immediately respond with an error 4354 message, such as 401 (Unauthorized) or 405 (Method Not Allowed), 4355 before the client starts filling the pipes with an unnecessary data 4356 transfer. 4358 Requirements for clients: 4360 o A client MUST NOT generate a 100-continue expectation in a request 4361 that does not include a message body. 4363 o A client that will wait for a 100 (Continue) response before 4364 sending the request message body MUST send an Expect header field 4365 containing a 100-continue expectation. 4367 o A client that sends a 100-continue expectation is not required to 4368 wait for any specific length of time; such a client MAY proceed to 4369 send the message body even if it has not yet received a response. 4370 Furthermore, since 100 (Continue) responses cannot be sent through 4371 an HTTP/1.0 intermediary, such a client SHOULD NOT wait for an 4372 indefinite period before sending the message body. 4374 o A client that receives a 417 (Expectation Failed) status code in 4375 response to a request containing a 100-continue expectation SHOULD 4376 repeat that request without a 100-continue expectation, since the 4377 417 response merely indicates that the response chain does not 4378 support expectations (e.g., it passes through an HTTP/1.0 server). 4380 Requirements for servers: 4382 o A server that receives a 100-continue expectation in an HTTP/1.0 4383 request MUST ignore that expectation. 4385 o A server MAY omit sending a 100 (Continue) response if it has 4386 already received some or all of the message body for the 4387 corresponding request, or if the framing indicates that there is 4388 no message body. 4390 o A server that sends a 100 (Continue) response MUST ultimately send 4391 a final status code, once the message body is received and 4392 processed, unless the connection is closed prematurely. 4394 o A server that responds with a final status code before reading the 4395 entire request payload body SHOULD indicate whether it intends to 4396 close the connection (see Section 9.7 of [Messaging]) or continue 4397 reading the payload body. 4399 An origin server MUST, upon receiving an HTTP/1.1 (or later) request 4400 that has a method, target URI, and complete header section that 4401 contains a 100-continue expectation and indicates a request message 4402 body will follow, either send an immediate response with a final 4403 status code, if that status can be determined by examining just the 4404 method, target URI, and header fields, or send an immediate 100 4405 (Continue) response to encourage the client to send the request's 4406 message body. The origin server MUST NOT wait for the message body 4407 before sending the 100 (Continue) response. 4409 A proxy MUST, upon receiving an HTTP/1.1 (or later) request that has 4410 a method, target URI, and complete header section that contains a 4411 100-continue expectation and indicates a request message body will 4412 follow, either send an immediate response with a final status code, 4413 if that status can be determined by examining just the method, target 4414 URI, and header fields, or begin forwarding the request toward the 4415 origin server by sending a corresponding request-line and header 4416 section to the next inbound server. If the proxy believes (from 4417 configuration or past interaction) that the next inbound server only 4418 supports HTTP/1.0, the proxy MAY generate an immediate 100 (Continue) 4419 response to encourage the client to begin sending the message body. 4421 Note: The Expect header field was added after the original 4422 publication of HTTP/1.1 [RFC2068] as both the means to request an 4423 interim 100 (Continue) response and the general mechanism for 4424 indicating must-understand extensions. However, the extension 4425 mechanism has not been used by clients and the must-understand 4426 requirements have not been implemented by many servers, rendering 4427 the extension mechanism useless. This specification has removed 4428 the extension mechanism in order to simplify the definition and 4429 processing of 100-continue. 4431 9.1.2. Max-Forwards 4433 The "Max-Forwards" header field provides a mechanism with the TRACE 4434 (Section 8.3.8) and OPTIONS (Section 8.3.7) request methods to limit 4435 the number of times that the request is forwarded by proxies. This 4436 can be useful when the client is attempting to trace a request that 4437 appears to be failing or looping mid-chain. 4439 Max-Forwards = 1*DIGIT 4441 The Max-Forwards value is a decimal integer indicating the remaining 4442 number of times this request message can be forwarded. 4444 Each intermediary that receives a TRACE or OPTIONS request containing 4445 a Max-Forwards header field MUST check and update its value prior to 4446 forwarding the request. If the received value is zero (0), the 4447 intermediary MUST NOT forward the request; instead, the intermediary 4448 MUST respond as the final recipient. If the received Max-Forwards 4449 value is greater than zero, the intermediary MUST generate an updated 4450 Max-Forwards field in the forwarded message with a field value that 4451 is the lesser of a) the received value decremented by one (1) or b) 4452 the recipient's maximum supported value for Max-Forwards. 4454 A recipient MAY ignore a Max-Forwards header field received with any 4455 other request methods. 4457 9.2. Preconditions 4459 A conditional request is an HTTP request with one or more request 4460 header fields that indicate a precondition to be tested before 4461 applying the request method to the target resource. Section 9.2.1 4462 defines when preconditions are applied. Section 9.2.2 defines the 4463 order of evaluation when more than one precondition is present. 4465 Conditional GET requests are the most efficient mechanism for HTTP 4466 cache updates [Caching]. Conditionals can also be applied to state- 4467 changing methods, such as PUT and DELETE, to prevent the "lost 4468 update" problem: one client accidentally overwriting the work of 4469 another client that has been acting in parallel. 4471 Conditional request preconditions are based on the state of the 4472 target resource as a whole (its current value set) or the state as 4473 observed in a previously obtained representation (one value in that 4474 set). A resource might have multiple current representations, each 4475 with its own observable state. The conditional request mechanisms 4476 assume that the mapping of requests to a selected representation 4477 (Section 7) will be consistent over time if the server intends to 4478 take advantage of conditionals. Regardless, if the mapping is 4479 inconsistent and the server is unable to select the appropriate 4480 representation, then no harm will result when the precondition 4481 evaluates to false. 4483 The following request header fields allow a client to place a 4484 precondition on the state of the target resource, so that the action 4485 corresponding to the method semantics will not be applied if the 4486 precondition evaluates to false. Each precondition defined by this 4487 specification consists of a comparison between a set of validators 4488 obtained from prior representations of the target resource to the 4489 current state of validators for the selected representation 4490 (Section 11.2). Hence, these preconditions evaluate whether the 4491 state of the target resource has changed since a given state known by 4492 the client. The effect of such an evaluation depends on the method 4493 semantics and choice of conditional, as defined in Section 9.2.1. 4495 +---------------------+---------------+ 4496 | Field Name | Defined in... | 4497 +---------------------+---------------+ 4498 | If-Match | Section 9.2.3 | 4499 | If-None-Match | Section 9.2.4 | 4500 | If-Modified-Since | Section 9.2.5 | 4501 | If-Unmodified-Since | Section 9.2.6 | 4502 | If-Range | Section 9.2.7 | 4503 +---------------------+---------------+ 4505 9.2.1. Evaluation 4507 Except when excluded below, a recipient cache or origin server MUST 4508 evaluate received request preconditions after it has successfully 4509 performed its normal request checks and just before it would perform 4510 the action associated with the request method. A server MUST ignore 4511 all received preconditions if its response to the same request 4512 without those conditions would have been a status code other than a 4513 2xx (Successful) or 412 (Precondition Failed). In other words, 4514 redirects and failures take precedence over the evaluation of 4515 preconditions in conditional requests. 4517 A server that is not the origin server for the target resource and 4518 cannot act as a cache for requests on the target resource MUST NOT 4519 evaluate the conditional request header fields defined by this 4520 specification, and it MUST forward them if the request is forwarded, 4521 since the generating client intends that they be evaluated by a 4522 server that can provide a current representation. Likewise, a server 4523 MUST ignore the conditional request header fields defined by this 4524 specification when received with a request method that does not 4525 involve the selection or modification of a selected representation, 4526 such as CONNECT, OPTIONS, or TRACE. 4528 Note that protocol extensions can modify the conditions under which 4529 revalidation is triggered. For example, the "immutable" cache 4530 directive (defined by [RFC8246]) instructs caches to forgo 4531 revalidation of fresh responses even when requested by the client. 4533 Conditional request header fields that are defined by extensions to 4534 HTTP might place conditions on all recipients, on the state of the 4535 target resource in general, or on a group of resources. For 4536 instance, the "If" header field in WebDAV can make a request 4537 conditional on various aspects of multiple resources, such as locks, 4538 if the recipient understands and implements that field ([RFC4918], 4539 Section 10.4). 4541 Although conditional request header fields are defined as being 4542 usable with the HEAD method (to keep HEAD's semantics consistent with 4543 those of GET), there is no point in sending a conditional HEAD 4544 because a successful response is around the same size as a 304 (Not 4545 Modified) response and more useful than a 412 (Precondition Failed) 4546 response. 4548 9.2.2. Precedence 4550 When more than one conditional request header field is present in a 4551 request, the order in which the fields are evaluated becomes 4552 important. In practice, the fields defined in this document are 4553 consistently implemented in a single, logical order, since "lost 4554 update" preconditions have more strict requirements than cache 4555 validation, a validated cache is more efficient than a partial 4556 response, and entity tags are presumed to be more accurate than date 4557 validators. 4559 A recipient cache or origin server MUST evaluate the request 4560 preconditions defined by this specification in the following order: 4562 1. When recipient is the origin server and If-Match is present, 4563 evaluate the If-Match precondition: 4565 * if true, continue to step 3 4567 * if false, respond 412 (Precondition Failed) unless it can be 4568 determined that the state-changing request has already 4569 succeeded (see Section 9.2.3) 4571 2. When recipient is the origin server, If-Match is not present, and 4572 If-Unmodified-Since is present, evaluate the If-Unmodified-Since 4573 precondition: 4575 * if true, continue to step 3 4577 * if false, respond 412 (Precondition Failed) unless it can be 4578 determined that the state-changing request has already 4579 succeeded (see Section 9.2.6) 4581 3. When If-None-Match is present, evaluate the If-None-Match 4582 precondition: 4584 * if true, continue to step 5 4586 * if false for GET/HEAD, respond 304 (Not Modified) 4588 * if false for other methods, respond 412 (Precondition Failed) 4590 4. When the method is GET or HEAD, If-None-Match is not present, and 4591 If-Modified-Since is present, evaluate the If-Modified-Since 4592 precondition: 4594 * if true, continue to step 5 4596 * if false, respond 304 (Not Modified) 4598 5. When the method is GET and both Range and If-Range are present, 4599 evaluate the If-Range precondition: 4601 * if the validator matches and the Range specification is 4602 applicable to the selected representation, respond 206 4603 (Partial Content) 4605 6. Otherwise, 4607 * all conditions are met, so perform the requested action and 4608 respond according to its success or failure. 4610 Any extension to HTTP that defines additional conditional request 4611 header fields ought to define its own expectations regarding the 4612 order for evaluating such fields in relation to those defined in this 4613 document and other conditionals that might be found in practice. 4615 9.2.3. If-Match 4617 The "If-Match" header field makes the request method conditional on 4618 the recipient origin server either having at least one current 4619 representation of the target resource, when the field value is "*", 4620 or having a current representation of the target resource that has an 4621 entity-tag matching a member of the list of entity-tags provided in 4622 the field value. 4624 An origin server MUST use the strong comparison function when 4625 comparing entity-tags for If-Match (Section 11.2.3.2), since the 4626 client intends this precondition to prevent the method from being 4627 applied if there have been any changes to the representation data. 4629 If-Match = "*" / 1#entity-tag 4631 Examples: 4633 If-Match: "xyzzy" 4634 If-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" 4635 If-Match: * 4637 If-Match is most often used with state-changing methods (e.g., POST, 4638 PUT, DELETE) to prevent accidental overwrites when multiple user 4639 agents might be acting in parallel on the same resource (i.e., to 4640 prevent the "lost update" problem). It can also be used with safe 4641 methods to abort a request if the selected representation does not 4642 match one already stored (or partially stored) from a prior request. 4644 An origin server that receives an If-Match header field MUST evaluate 4645 the condition as per Section 9.2.1 prior to performing the method. 4647 To evaluate a received If-Match header field: 4649 1. If the field value is "*", the condition is true if the origin 4650 server has a current representation for the target resource. 4652 2. If the field value is a list of entity-tags, the condition is 4653 true if any of the listed tags match the entity-tag of the 4654 selected representation. 4656 3. Otherwise, the condition is false. 4658 An origin server MUST NOT perform the requested method if a received 4659 If-Match condition evaluates to false; instead, the origin server 4660 MUST respond with either a) the 412 (Precondition Failed) status code 4661 or b) one of the 2xx (Successful) status codes if the origin server 4662 has verified that a state change is being requested and the final 4663 state is already reflected in the current state of the target 4664 resource (i.e., the change requested by the user agent has already 4665 succeeded, but the user agent might not be aware of it, perhaps 4666 because the prior response was lost or a compatible change was made 4667 by some other user agent). In the latter case, the origin server 4668 MUST NOT send a validator header field in the response unless it can 4669 verify that the request is a duplicate of an immediately prior change 4670 made by the same user agent. 4672 The If-Match header field can be ignored by caches and intermediaries 4673 because it is not applicable to a stored response. 4675 Note that an If-Match header field with a list value containing "*" 4676 and other values (including other instances of "*") is unlikely to be 4677 interoperable. 4679 9.2.4. If-None-Match 4681 The "If-None-Match" header field makes the request method conditional 4682 on a recipient cache or origin server either not having any current 4683 representation of the target resource, when the field value is "*", 4684 or having a selected representation with an entity-tag that does not 4685 match any of those listed in the field value. 4687 A recipient MUST use the weak comparison function when comparing 4688 entity-tags for If-None-Match (Section 11.2.3.2), since weak entity- 4689 tags can be used for cache validation even if there have been changes 4690 to the representation data. 4692 If-None-Match = "*" / 1#entity-tag 4694 Examples: 4696 If-None-Match: "xyzzy" 4697 If-None-Match: W/"xyzzy" 4698 If-None-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" 4699 If-None-Match: W/"xyzzy", W/"r2d2xxxx", W/"c3piozzzz" 4700 If-None-Match: * 4702 If-None-Match is primarily used in conditional GET requests to enable 4703 efficient updates of cached information with a minimum amount of 4704 transaction overhead. When a client desires to update one or more 4705 stored responses that have entity-tags, the client SHOULD generate an 4706 If-None-Match header field containing a list of those entity-tags 4707 when making a GET request; this allows recipient servers to send a 4708 304 (Not Modified) response to indicate when one of those stored 4709 responses matches the selected representation. 4711 If-None-Match can also be used with a value of "*" to prevent an 4712 unsafe request method (e.g., PUT) from inadvertently modifying an 4713 existing representation of the target resource when the client 4714 believes that the resource does not have a current representation 4715 (Section 8.2.1). This is a variation on the "lost update" problem 4716 that might arise if more than one client attempts to create an 4717 initial representation for the target resource. 4719 An origin server that receives an If-None-Match header field MUST 4720 evaluate the condition as per Section 9.2.1 prior to performing the 4721 method. 4723 To evaluate a received If-None-Match header field: 4725 1. If the field value is "*", the condition is false if the origin 4726 server has a current representation for the target resource. 4728 2. If the field value is a list of entity-tags, the condition is 4729 false if one of the listed tags matches the entity-tag of the 4730 selected representation. 4732 3. Otherwise, the condition is true. 4734 An origin server MUST NOT perform the requested method if the 4735 condition evaluates to false; instead, the origin server MUST respond 4736 with either a) the 304 (Not Modified) status code if the request 4737 method is GET or HEAD or b) the 412 (Precondition Failed) status code 4738 for all other request methods. 4740 Requirements on cache handling of a received If-None-Match header 4741 field are defined in Section 4.3.2 of [Caching]. 4743 Note that an If-None-Match header field with a list value containing 4744 "*" and other values (including other instances of "*") is unlikely 4745 to be interoperable. 4747 9.2.5. If-Modified-Since 4749 The "If-Modified-Since" header field makes a GET or HEAD request 4750 method conditional on the selected representation's modification date 4751 being more recent than the date provided in the field value. 4752 Transfer of the selected representation's data is avoided if that 4753 data has not changed. 4755 If-Modified-Since = HTTP-date 4757 An example of the field is: 4759 If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT 4761 A recipient MUST ignore If-Modified-Since if the request contains an 4762 If-None-Match header field; the condition in If-None-Match is 4763 considered to be a more accurate replacement for the condition in If- 4764 Modified-Since, and the two are only combined for the sake of 4765 interoperating with older intermediaries that might not implement If- 4766 None-Match. 4768 A recipient MUST ignore the If-Modified-Since header field if the 4769 received field value is not a valid HTTP-date, or if the request 4770 method is neither GET nor HEAD. 4772 A recipient MUST interpret an If-Modified-Since field value's 4773 timestamp in terms of the origin server's clock. 4775 If-Modified-Since is typically used for two distinct purposes: 1) to 4776 allow efficient updates of a cached representation that does not have 4777 an entity-tag and 2) to limit the scope of a web traversal to 4778 resources that have recently changed. 4780 When used for cache updates, a cache will typically use the value of 4781 the cached message's Last-Modified field to generate the field value 4782 of If-Modified-Since. This behavior is most interoperable for cases 4783 where clocks are poorly synchronized or when the server has chosen to 4784 only honor exact timestamp matches (due to a problem with Last- 4785 Modified dates that appear to go "back in time" when the origin 4786 server's clock is corrected or a representation is restored from an 4787 archived backup). However, caches occasionally generate the field 4788 value based on other data, such as the Date header field of the 4789 cached message or the local clock time that the message was received, 4790 particularly when the cached message does not contain a Last-Modified 4791 field. 4793 When used for limiting the scope of retrieval to a recent time 4794 window, a user agent will generate an If-Modified-Since field value 4795 based on either its own local clock or a Date header field received 4796 from the server in a prior response. Origin servers that choose an 4797 exact timestamp match based on the selected representation's Last- 4798 Modified field will not be able to help the user agent limit its data 4799 transfers to only those changed during the specified window. 4801 An origin server that receives an If-Modified-Since header field 4802 SHOULD evaluate the condition as per Section 9.2.1 prior to 4803 performing the method. The origin server SHOULD NOT perform the 4804 requested method if the selected representation's last modification 4805 date is earlier than or equal to the date provided in the field 4806 value; instead, the origin server SHOULD generate a 304 (Not 4807 Modified) response, including only those metadata that are useful for 4808 identifying or updating a previously cached response. 4810 Requirements on cache handling of a received If-Modified-Since header 4811 field are defined in Section 4.3.2 of [Caching]. 4813 9.2.6. If-Unmodified-Since 4815 The "If-Unmodified-Since" header field makes the request method 4816 conditional on the selected representation's last modification date 4817 being earlier than or equal to the date provided in the field value. 4818 This field accomplishes the same purpose as If-Match for cases where 4819 the user agent does not have an entity-tag for the representation. 4821 If-Unmodified-Since = HTTP-date 4823 An example of the field is: 4825 If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT 4827 A recipient MUST ignore If-Unmodified-Since if the request contains 4828 an If-Match header field; the condition in If-Match is considered to 4829 be a more accurate replacement for the condition in If-Unmodified- 4830 Since, and the two are only combined for the sake of interoperating 4831 with older intermediaries that might not implement If-Match. 4833 A recipient MUST ignore the If-Unmodified-Since header field if the 4834 received field value is not a valid HTTP-date. 4836 A recipient MUST interpret an If-Unmodified-Since field value's 4837 timestamp in terms of the origin server's clock. 4839 If-Unmodified-Since is most often used with state-changing methods 4840 (e.g., POST, PUT, DELETE) to prevent accidental overwrites when 4841 multiple user agents might be acting in parallel on a resource that 4842 does not supply entity-tags with its representations (i.e., to 4843 prevent the "lost update" problem). It can also be used with safe 4844 methods to abort a request if the selected representation does not 4845 match one already stored (or partially stored) from a prior request. 4847 An origin server that receives an If-Unmodified-Since header field 4848 MUST evaluate the condition as per Section 9.2.1 prior to performing 4849 the method. 4851 If the selected representation has a last modification date, the 4852 origin server MUST NOT perform the requested method if that date is 4853 more recent than the date provided in the field value. Instead, the 4854 origin server MUST respond with either a) the 412 (Precondition 4855 Failed) status code or b) one of the 2xx (Successful) status codes if 4856 the origin server has verified that a state change is being requested 4857 and the final state is already reflected in the current state of the 4858 target resource (i.e., the change requested by the user agent has 4859 already succeeded, but the user agent might not be aware of that 4860 because the prior response message was lost or a compatible change 4861 was made by some other user agent). In the latter case, the origin 4862 server MUST NOT send a validator header field in the response unless 4863 it can verify that the request is a duplicate of an immediately prior 4864 change made by the same user agent. 4866 The If-Unmodified-Since header field can be ignored by caches and 4867 intermediaries because it is not applicable to a stored response. 4869 9.2.7. If-Range 4871 The "If-Range" header field provides a special conditional request 4872 mechanism that is similar to the If-Match and If-Unmodified-Since 4873 header fields but that instructs the recipient to ignore the Range 4874 header field if the validator doesn't match, resulting in transfer of 4875 the new selected representation instead of a 412 (Precondition 4876 Failed) response. 4878 If a client has a partial copy of a representation and wishes to have 4879 an up-to-date copy of the entire representation, it could use the 4880 Range header field with a conditional GET (using either or both of 4881 If-Unmodified-Since and If-Match.) However, if the precondition 4882 fails because the representation has been modified, the client would 4883 then have to make a second request to obtain the entire current 4884 representation. 4886 The "If-Range" header field allows a client to "short-circuit" the 4887 second request. Informally, its meaning is as follows: if the 4888 representation is unchanged, send me the part(s) that I am requesting 4889 in Range; otherwise, send me the entire representation. 4891 If-Range = entity-tag / HTTP-date 4893 A client MUST NOT generate an If-Range header field in a request that 4894 does not contain a Range header field. A server MUST ignore an If- 4895 Range header field received in a request that does not contain a 4896 Range header field. An origin server MUST ignore an If-Range header 4897 field received in a request for a target resource that does not 4898 support Range requests. 4900 A client MUST NOT generate an If-Range header field containing an 4901 entity-tag that is marked as weak. A client MUST NOT generate an If- 4902 Range header field containing an HTTP-date unless the client has no 4903 entity-tag for the corresponding representation and the date is a 4904 strong validator in the sense defined by Section 11.2.2.2. 4906 A server that evaluates an If-Range precondition MUST use the strong 4907 comparison function when comparing entity-tags (Section 11.2.3.2) and 4908 MUST evaluate the condition as false if an HTTP-date validator is 4909 provided that is not a strong validator in the sense defined by 4910 Section 11.2.2.2. A valid entity-tag can be distinguished from a 4911 valid HTTP-date by examining the first two characters for a DQUOTE. 4913 If the validator given in the If-Range header field matches the 4914 current validator for the selected representation of the target 4915 resource, then the server SHOULD process the Range header field as 4916 requested. If the validator does not match, the server MUST ignore 4917 the Range header field. Note that this comparison by exact match, 4918 including when the validator is an HTTP-date, differs from the 4919 "earlier than or equal to" comparison used when evaluating an If- 4920 Unmodified-Since conditional. 4922 9.3. Range 4924 The "Range" header field on a GET request modifies the method 4925 semantics to request transfer of only one or more subranges of the 4926 selected representation data (Section 7.1), rather than the entire 4927 selected representation. 4929 Range = ranges-specifier 4931 Clients often encounter interrupted data transfers as a result of 4932 canceled requests or dropped connections. When a client has stored a 4933 partial representation, it is desirable to request the remainder of 4934 that representation in a subsequent request rather than transfer the 4935 entire representation. Likewise, devices with limited local storage 4936 might benefit from being able to request only a subset of a larger 4937 representation, such as a single page of a very large document, or 4938 the dimensions of an embedded image. 4940 Range requests are an OPTIONAL feature of HTTP, designed so that 4941 recipients not implementing this feature (or not supporting it for 4942 the target resource) can respond as if it is a normal GET request 4943 without impacting interoperability. Partial responses are indicated 4944 by a distinct status code to not be mistaken for full responses by 4945 caches that might not implement the feature. 4947 A server MAY ignore the Range header field. However, origin servers 4948 and intermediate caches ought to support byte ranges when possible, 4949 since they support efficient recovery from partially failed transfers 4950 and partial retrieval of large representations. A server MUST ignore 4951 a Range header field received with a request method other than GET. 4953 Although the range request mechanism is designed to allow for 4954 extensible range types, this specification only defines requests for 4955 byte ranges. 4957 An origin server MUST ignore a Range header field that contains a 4958 range unit it does not understand. A proxy MAY discard a Range 4959 header field that contains a range unit it does not understand. 4961 A server that supports range requests MAY ignore or reject a Range 4962 header field that consists of more than two overlapping ranges, or a 4963 set of many small ranges that are not listed in ascending order, 4964 since both are indications of either a broken client or a deliberate 4965 denial-of-service attack (Section 12.13). A client SHOULD NOT 4966 request multiple ranges that are inherently less efficient to process 4967 and transfer than a single range that encompasses the same data. 4969 A server that supports range requests MAY ignore a Range header field 4970 when the selected representation has no body (i.e., the selected 4971 representation data is of zero length). 4973 A client that is requesting multiple ranges SHOULD list those ranges 4974 in ascending order (the order in which they would typically be 4975 received in a complete representation) unless there is a specific 4976 need to request a later part earlier. For example, a user agent 4977 processing a large representation with an internal catalog of parts 4978 might need to request later parts first, particularly if the 4979 representation consists of pages stored in reverse order and the user 4980 agent wishes to transfer one page at a time. 4982 The Range header field is evaluated after evaluating the precondition 4983 header fields defined in Section 9.2, and only if the result in 4984 absence of the Range header field would be a 200 (OK) response. In 4985 other words, Range is ignored when a conditional GET would result in 4986 a 304 (Not Modified) response. 4988 The If-Range header field (Section 9.2.7) can be used as a 4989 precondition to applying the Range header field. 4991 If all of the preconditions are true, the server supports the Range 4992 header field for the target resource, and the specified range(s) are 4993 valid and satisfiable (as defined in Section 7.1.4.2), the server 4994 SHOULD send a 206 (Partial Content) response with a payload 4995 containing one or more partial representations that correspond to the 4996 satisfiable ranges requested. 4998 If all of the preconditions are true, the server supports the Range 4999 header field for the target resource, and the specified range(s) are 5000 invalid or unsatisfiable, the server SHOULD send a 416 (Range Not 5001 Satisfiable) response. 5003 9.4. Negotiation 5005 The following request header fields can be sent by a user agent to 5006 engage in proactive negotiation of the response content, as defined 5007 in Section 7.4.1. The preferences sent in these fields apply to any 5008 content in the response, including representations of the target 5009 resource, representations of error or processing status, and 5010 potentially even the miscellaneous text strings that might appear 5011 within the protocol. 5013 +-----------------+---------------+ 5014 | Field Name | Defined in... | 5015 +-----------------+---------------+ 5016 | Accept | Section 9.4.1 | 5017 | Accept-Charset | Section 9.4.2 | 5018 | Accept-Encoding | Section 9.4.3 | 5019 | Accept-Language | Section 9.4.4 | 5020 +-----------------+---------------+ 5022 For each of these header fields, a request that does not contain it 5023 implies that the user agent has no preference on that axis of 5024 negotiation. If the header field is present in a request and none of 5025 the available representations for the response can be considered 5026 acceptable according to it, the origin server can either honor the 5027 header field by sending a 406 (Not Acceptable) response or disregard 5028 the header field by treating the response as if it is not subject to 5029 content negotiation for that request header field. This does not 5030 imply, however, that the client will be able to use the 5031 representation. 5033 Note: Sending these header fields makes it easier for a server to 5034 identify an individual by virtue of the user agent's request 5035 characteristics (Section 12.11). 5037 Each of these header fields defines a wildcard value (often, "*") to 5038 select unspecified values. If no wildcard is present, all values not 5039 explicitly mentioned in the field are considered "not acceptable" to 5040 the client. 5042 Note: In practice, using wildcards in content negotiation has limited 5043 practical value, because it is seldom useful to say, for example, "I 5044 prefer image/* more or less than (some other specific value)". 5045 Clients can explicitly request a 406 (Not Acceptable) response if a 5046 more preferred format is not available by sending Accept: */*;q=0, 5047 but they still need to be able to handle a different response, since 5048 the server is allowed to ignore their preference. 5050 9.4.1. Accept 5052 The "Accept" header field can be used by user agents to specify their 5053 preferences regarding response media types. For example, Accept 5054 header fields can be used to indicate that the request is 5055 specifically limited to a small set of desired types, as in the case 5056 of a request for an in-line image. 5058 When sent by a server in a response, Accept provides information 5059 about what content types are preferred in the payload of a subsequent 5060 request to the same resource. 5062 Accept = #( media-range [ accept-params ] ) 5064 media-range = ( "*/*" 5065 / ( type "/" "*" ) 5066 / ( type "/" subtype ) 5067 ) *( OWS ";" OWS parameter ) 5068 accept-params = weight *( accept-ext ) 5069 accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] 5071 The asterisk "*" character is used to group media types into ranges, 5072 with "*/*" indicating all media types and "type/*" indicating all 5073 subtypes of that type. The media-range can include media type 5074 parameters that are applicable to that range. 5076 Each media-range might be followed by zero or more applicable media 5077 type parameters (e.g., charset), an optional "q" parameter for 5078 indicating a relative weight (Section 7.4.4), and then zero or more 5079 extension parameters. The "q" parameter is necessary if any 5080 extensions (accept-ext) are present, since it acts as a separator 5081 between the two parameter sets. 5083 Note: Use of the "q" parameter name to separate media type 5084 parameters from Accept extension parameters is due to historical 5085 practice. Although this prevents any media type parameter named 5086 "q" from being used with a media range, such an event is believed 5087 to be unlikely given the lack of any "q" parameters in the IANA 5088 media type registry and the rare usage of any media type 5089 parameters in Accept. Future media types are discouraged from 5090 registering any parameter named "q". 5092 The example 5094 Accept: audio/*; q=0.2, audio/basic 5096 is interpreted as "I prefer audio/basic, but send me any audio type 5097 if it is the best available after an 80% markdown in quality". 5099 A more elaborate example is 5101 Accept: text/plain; q=0.5, text/html, 5102 text/x-dvi; q=0.8, text/x-c 5104 Verbally, this would be interpreted as "text/html and text/x-c are 5105 the equally preferred media types, but if they do not exist, then 5106 send the text/x-dvi representation, and if that does not exist, send 5107 the text/plain representation". 5109 Media ranges can be overridden by more specific media ranges or 5110 specific media types. If more than one media range applies to a 5111 given type, the most specific reference has precedence. For example, 5113 Accept: text/*, text/plain, text/plain;format=flowed, */* 5115 have the following precedence: 5117 1. text/plain;format=flowed 5119 2. text/plain 5121 3. text/* 5123 4. */* 5124 The media type quality factor associated with a given type is 5125 determined by finding the media range with the highest precedence 5126 that matches the type. For example, 5128 Accept: text/*;q=0.3, text/plain;q=0.7, text/plain;format=flowed, 5129 text/plain;format=fixed;q=0.4, */*;q=0.5 5131 would cause the following values to be associated: 5133 +--------------------------+---------------+ 5134 | Media Type | Quality Value | 5135 +--------------------------+---------------+ 5136 | text/plain;format=flowed | 1 | 5137 | text/plain | 0.7 | 5138 | text/html | 0.3 | 5139 | image/jpeg | 0.5 | 5140 | text/plain;format=fixed | 0.4 | 5141 | text/html;level=3 | 0.7 | 5142 +--------------------------+---------------+ 5144 Note: A user agent might be provided with a default set of quality 5145 values for certain media ranges. However, unless the user agent is a 5146 closed system that cannot interact with other rendering agents, this 5147 default set ought to be configurable by the user. 5149 9.4.2. Accept-Charset 5151 The "Accept-Charset" header field can be sent by a user agent to 5152 indicate its preferences for charsets in textual response content. 5153 For example, this field allows user agents capable of understanding 5154 more comprehensive or special-purpose charsets to signal that 5155 capability to an origin server that is capable of representing 5156 information in those charsets. 5158 Accept-Charset = 1#( ( charset / "*" ) [ weight ] ) 5160 Charset names are defined in Section 7.1.1.1. A user agent MAY 5161 associate a quality value with each charset to indicate the user's 5162 relative preference for that charset, as defined in Section 7.4.4. 5163 An example is 5165 Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 5167 The special value "*", if present in the Accept-Charset field, 5168 matches every charset that is not mentioned elsewhere in the Accept- 5169 Charset field. 5171 Note: Accept-Charset is deprecated because UTF-8 has become nearly 5172 ubiquitous and sending a detailed list of user-preferred charsets 5173 wastes bandwidth, increases latency, and makes passive fingerprinting 5174 far too easy (Section 12.11). Most general-purpose user agents do 5175 not send Accept-Charset, unless specifically configured to do so. 5177 9.4.3. Accept-Encoding 5179 The "Accept-Encoding" header field can be used to indicate 5180 preferences regarding the use of content codings (Section 7.1.2). 5182 When sent by a user agent in a request, Accept-Encoding indicates the 5183 content codings acceptable in a response. 5185 When sent by a server in a response, Accept-Encoding provides 5186 information about what content codings are preferred in the payload 5187 of a subsequent request to the same resource. 5189 An "identity" token is used as a synonym for "no encoding" in order 5190 to communicate when no encoding is preferred. 5192 Accept-Encoding = #( codings [ weight ] ) 5193 codings = content-coding / "identity" / "*" 5195 Each codings value MAY be given an associated quality value 5196 representing the preference for that encoding, as defined in 5197 Section 7.4.4. The asterisk "*" symbol in an Accept-Encoding field 5198 matches any available content-coding not explicitly listed in the 5199 header field. 5201 For example, 5203 Accept-Encoding: compress, gzip 5204 Accept-Encoding: 5205 Accept-Encoding: * 5206 Accept-Encoding: compress;q=0.5, gzip;q=1.0 5207 Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0 5209 A server tests whether a content-coding for a given representation is 5210 acceptable using these rules: 5212 1. If no Accept-Encoding field is in the request, any content-coding 5213 is considered acceptable by the user agent. 5215 2. If the representation has no content-coding, then it is 5216 acceptable by default unless specifically excluded by the Accept- 5217 Encoding field stating either "identity;q=0" or "*;q=0" without a 5218 more specific entry for "identity". 5220 3. If the representation's content-coding is one of the content- 5221 codings listed in the Accept-Encoding field value, then it is 5222 acceptable unless it is accompanied by a qvalue of 0. (As 5223 defined in Section 7.4.4, a qvalue of 0 means "not acceptable".) 5225 4. If multiple content-codings are acceptable, then the acceptable 5226 content-coding with the highest non-zero qvalue is preferred. 5228 An Accept-Encoding header field with a field value that is empty 5229 implies that the user agent does not want any content-coding in 5230 response. If an Accept-Encoding header field is present in a request 5231 and none of the available representations for the response have a 5232 content-coding that is listed as acceptable, the origin server SHOULD 5233 send a response without any content-coding. 5235 When the Accept-Encoding header field is present in a response, it 5236 indicates what content codings the resource was willing to accept in 5237 the associated request. The field value is evaluated the same way as 5238 in a request. 5240 Note that this information is specific to the associated request; the 5241 set of supported encodings might be different for other resources on 5242 the same server and could change over time or depend on other aspects 5243 of the request (such as the request method). 5245 Servers that fail a request due to an unsupported content coding 5246 ought to respond with a 415 (Unsupported Media Type) status and 5247 include an Accept-Encoding header field in that response, allowing 5248 clients to distinguish between issues related to content codings and 5249 media types. In order to avoid confusion with issues related to 5250 media types, servers that fail a request with a 415 status for 5251 reasons unrelated to content codings MUST NOT include the Accept- 5252 Encoding header field. 5254 The most common use of Accept-Encoding is in responses with a 415 5255 (Unsupported Media Type) status code, in response to optimistic use 5256 of a content coding by clients. However, the header field can also 5257 be used to indicate to clients that content codings are supported, to 5258 optimize future interactions. For example, a resource might include 5259 it in a 2xx (Successful) response when the request payload was big 5260 enough to justify use of a compression coding but the client failed 5261 do so. 5263 Note: Most HTTP/1.0 applications do not recognize or obey qvalues 5264 associated with content-codings. This means that qvalues might 5265 not work and are not permitted with x-gzip or x-compress. 5267 9.4.4. Accept-Language 5269 The "Accept-Language" header field can be used by user agents to 5270 indicate the set of natural languages that are preferred in the 5271 response. Language tags are defined in Section 7.1.3. 5273 Accept-Language = 1#( language-range [ weight ] ) 5274 language-range = 5275 5277 Each language-range can be given an associated quality value 5278 representing an estimate of the user's preference for the languages 5279 specified by that range, as defined in Section 7.4.4. For example, 5281 Accept-Language: da, en-gb;q=0.8, en;q=0.7 5283 would mean: "I prefer Danish, but will accept British English and 5284 other types of English". 5286 Note that some recipients treat the order in which language tags are 5287 listed as an indication of descending priority, particularly for tags 5288 that are assigned equal quality values (no value is the same as q=1). 5289 However, this behavior cannot be relied upon. For consistency and to 5290 maximize interoperability, many user agents assign each language tag 5291 a unique quality value while also listing them in order of decreasing 5292 quality. Additional discussion of language priority lists can be 5293 found in Section 2.3 of [RFC4647]. 5295 For matching, Section 3 of [RFC4647] defines several matching 5296 schemes. Implementations can offer the most appropriate matching 5297 scheme for their requirements. The "Basic Filtering" scheme 5298 ([RFC4647], Section 3.3.1) is identical to the matching scheme that 5299 was previously defined for HTTP in Section 14.4 of [RFC2616]. 5301 It might be contrary to the privacy expectations of the user to send 5302 an Accept-Language header field with the complete linguistic 5303 preferences of the user in every request (Section 12.11). 5305 Since intelligibility is highly dependent on the individual user, 5306 user agents need to allow user control over the linguistic preference 5307 (either through configuration of the user agent itself or by 5308 defaulting to a user controllable system setting). A user agent that 5309 does not provide such control to the user MUST NOT send an Accept- 5310 Language header field. 5312 Note: User agents ought to provide guidance to users when setting 5313 a preference, since users are rarely familiar with the details of 5314 language matching as described above. For example, users might 5315 assume that on selecting "en-gb", they will be served any kind of 5316 English document if British English is not available. A user 5317 agent might suggest, in such a case, to add "en" to the list for 5318 better matching behavior. 5320 9.5. Authentication Credentials 5322 HTTP provides a general framework for access control and 5323 authentication, via an extensible set of challenge-response 5324 authentication schemes, which can be used by a server to challenge a 5325 client request and by a client to provide authentication information. 5327 Two header fields are used for carrying authentication credentials. 5328 Note that various custom mechanisms for user authentication use the 5329 Cookie header field for this purpose, as defined in [RFC6265]. 5331 +---------------------+---------------+ 5332 | Field Name | Defined in... | 5333 +---------------------+---------------+ 5334 | Authorization | Section 9.5.3 | 5335 | Proxy-Authorization | Section 9.5.4 | 5336 +---------------------+---------------+ 5338 9.5.1. Challenge and Response 5340 HTTP provides a simple challenge-response authentication framework 5341 that can be used by a server to challenge a client request and by a 5342 client to provide authentication information. It uses a case- 5343 insensitive token as a means to identify the authentication scheme, 5344 followed by additional information necessary for achieving 5345 authentication via that scheme. The latter can be either a comma- 5346 separated list of parameters or a single sequence of characters 5347 capable of holding base64-encoded information. 5349 Authentication parameters are name=value pairs, where the name token 5350 is matched case-insensitively, and each parameter name MUST only 5351 occur once per challenge. 5353 auth-scheme = token 5355 auth-param = token BWS "=" BWS ( token / quoted-string ) 5357 token68 = 1*( ALPHA / DIGIT / 5358 "-" / "." / "_" / "~" / "+" / "/" ) *"=" 5360 The token68 syntax allows the 66 unreserved URI characters 5361 ([RFC3986]), plus a few others, so that it can hold a base64, 5362 base64url (URL and filename safe alphabet), base32, or base16 (hex) 5363 encoding, with or without padding, but excluding whitespace 5364 ([RFC4648]). 5366 A 401 (Unauthorized) response message is used by an origin server to 5367 challenge the authorization of a user agent, including a WWW- 5368 Authenticate header field containing at least one challenge 5369 applicable to the requested resource. 5371 A 407 (Proxy Authentication Required) response message is used by a 5372 proxy to challenge the authorization of a client, including a Proxy- 5373 Authenticate header field containing at least one challenge 5374 applicable to the proxy for the requested resource. 5376 challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] 5378 Note: Many clients fail to parse a challenge that contains an 5379 unknown scheme. A workaround for this problem is to list well- 5380 supported schemes (such as "basic") first. 5382 A user agent that wishes to authenticate itself with an origin server 5383 -- usually, but not necessarily, after receiving a 401 (Unauthorized) 5384 -- can do so by including an Authorization header field with the 5385 request. 5387 A client that wishes to authenticate itself with a proxy -- usually, 5388 but not necessarily, after receiving a 407 (Proxy Authentication 5389 Required) -- can do so by including a Proxy-Authorization header 5390 field with the request. 5392 Both the Authorization field value and the Proxy-Authorization field 5393 value contain the client's credentials for the realm of the resource 5394 being requested, based upon a challenge received in a response 5395 (possibly at some point in the past). When creating their values, 5396 the user agent ought to do so by selecting the challenge with what it 5397 considers to be the most secure auth-scheme that it understands, 5398 obtaining credentials from the user as appropriate. Transmission of 5399 credentials within header field values implies significant security 5400 considerations regarding the confidentiality of the underlying 5401 connection, as described in Section 12.14.1. 5403 credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ] 5405 Upon receipt of a request for a protected resource that omits 5406 credentials, contains invalid credentials (e.g., a bad password) or 5407 partial credentials (e.g., when the authentication scheme requires 5408 more than one round trip), an origin server SHOULD send a 401 5409 (Unauthorized) response that contains a WWW-Authenticate header field 5410 with at least one (possibly new) challenge applicable to the 5411 requested resource. 5413 Likewise, upon receipt of a request that omits proxy credentials or 5414 contains invalid or partial proxy credentials, a proxy that requires 5415 authentication SHOULD generate a 407 (Proxy Authentication Required) 5416 response that contains a Proxy-Authenticate header field with at 5417 least one (possibly new) challenge applicable to the proxy. 5419 A server that receives valid credentials that are not adequate to 5420 gain access ought to respond with the 403 (Forbidden) status code 5421 (Section 10.5.4). 5423 HTTP does not restrict applications to this simple challenge-response 5424 framework for access authentication. Additional mechanisms can be 5425 used, such as authentication at the transport level or via message 5426 encapsulation, and with additional header fields specifying 5427 authentication information. However, such additional mechanisms are 5428 not defined by this specification. 5430 9.5.2. Protection Space (Realm) 5432 The "realm" authentication parameter is reserved for use by 5433 authentication schemes that wish to indicate a scope of protection. 5435 A protection space is defined by the canonical root URI (the scheme 5436 and authority components of the target URI; see Section 6.1) of the 5437 server being accessed, in combination with the realm value if 5438 present. These realms allow the protected resources on a server to 5439 be partitioned into a set of protection spaces, each with its own 5440 authentication scheme and/or authorization database. The realm value 5441 is a string, generally assigned by the origin server, that can have 5442 additional semantics specific to the authentication scheme. Note 5443 that a response can have multiple challenges with the same auth- 5444 scheme but with different realms. 5446 The protection space determines the domain over which credentials can 5447 be automatically applied. If a prior request has been authorized, 5448 the user agent MAY reuse the same credentials for all other requests 5449 within that protection space for a period of time determined by the 5450 authentication scheme, parameters, and/or user preferences (such as a 5451 configurable inactivity timeout). Unless specifically allowed by the 5452 authentication scheme, a single protection space cannot extend 5453 outside the scope of its server. 5455 For historical reasons, a sender MUST only generate the quoted-string 5456 syntax. Recipients might have to support both token and quoted- 5457 string syntax for maximum interoperability with existing clients that 5458 have been accepting both notations for a long time. 5460 9.5.3. Authorization 5462 The "Authorization" header field allows a user agent to authenticate 5463 itself with an origin server -- usually, but not necessarily, after 5464 receiving a 401 (Unauthorized) response. Its value consists of 5465 credentials containing the authentication information of the user 5466 agent for the realm of the resource being requested. 5468 Authorization = credentials 5470 If a request is authenticated and a realm specified, the same 5471 credentials are presumed to be valid for all other requests within 5472 this realm (assuming that the authentication scheme itself does not 5473 require otherwise, such as credentials that vary according to a 5474 challenge value or using synchronized clocks). 5476 A proxy forwarding a request MUST NOT modify any Authorization fields 5477 in that request. See Section 3.3 of [Caching] for details of and 5478 requirements pertaining to handling of the Authorization field by 5479 HTTP caches. 5481 9.5.4. Proxy-Authorization 5483 The "Proxy-Authorization" header field allows the client to identify 5484 itself (or its user) to a proxy that requires authentication. Its 5485 value consists of credentials containing the authentication 5486 information of the client for the proxy and/or realm of the resource 5487 being requested. 5489 Proxy-Authorization = credentials 5491 Unlike Authorization, the Proxy-Authorization header field applies 5492 only to the next inbound proxy that demanded authentication using the 5493 Proxy-Authenticate field. When multiple proxies are used in a chain, 5494 the Proxy-Authorization header field is consumed by the first inbound 5495 proxy that was expecting to receive credentials. A proxy MAY relay 5496 the credentials from the client request to the next proxy if that is 5497 the mechanism by which the proxies cooperatively authenticate a given 5498 request. 5500 9.5.5. Authentication Scheme Extensibility 5502 Aside from the general framework, this document does not specify any 5503 authentication schemes. New and existing authentication schemes are 5504 specified independently and ought to be registered within the 5505 "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry". 5506 For example, the "basic" and "digest" authentication schemes are 5507 defined by RFC 7617 and RFC 7616, respectively. 5509 9.5.5.1. Authentication Scheme Registry 5511 The "Hypertext Transfer Protocol (HTTP) Authentication Scheme 5512 Registry" defines the namespace for the authentication schemes in 5513 challenges and credentials. It is maintained at 5514 . 5516 Registrations MUST include the following fields: 5518 o Authentication Scheme Name 5520 o Pointer to specification text 5522 o Notes (optional) 5524 Values to be added to this namespace require IETF Review (see 5525 [RFC8126], Section 4.8). 5527 9.5.5.2. Considerations for New Authentication Schemes 5529 There are certain aspects of the HTTP Authentication framework that 5530 put constraints on how new authentication schemes can work: 5532 o HTTP authentication is presumed to be stateless: all of the 5533 information necessary to authenticate a request MUST be provided 5534 in the request, rather than be dependent on the server remembering 5535 prior requests. Authentication based on, or bound to, the 5536 underlying connection is outside the scope of this specification 5537 and inherently flawed unless steps are taken to ensure that the 5538 connection cannot be used by any party other than the 5539 authenticated user (see Section 2.2). 5541 o The authentication parameter "realm" is reserved for defining 5542 protection spaces as described in Section 9.5.2. New schemes MUST 5543 NOT use it in a way incompatible with that definition. 5545 o The "token68" notation was introduced for compatibility with 5546 existing authentication schemes and can only be used once per 5547 challenge or credential. Thus, new schemes ought to use the auth- 5548 param syntax instead, because otherwise future extensions will be 5549 impossible. 5551 o The parsing of challenges and credentials is defined by this 5552 specification and cannot be modified by new authentication 5553 schemes. When the auth-param syntax is used, all parameters ought 5554 to support both token and quoted-string syntax, and syntactical 5555 constraints ought to be defined on the field value after parsing 5556 (i.e., quoted-string processing). This is necessary so that 5557 recipients can use a generic parser that applies to all 5558 authentication schemes. 5560 Note: The fact that the value syntax for the "realm" parameter is 5561 restricted to quoted-string was a bad design choice not to be 5562 repeated for new parameters. 5564 o Definitions of new schemes ought to define the treatment of 5565 unknown extension parameters. In general, a "must-ignore" rule is 5566 preferable to a "must-understand" rule, because otherwise it will 5567 be hard to introduce new parameters in the presence of legacy 5568 recipients. Furthermore, it's good to describe the policy for 5569 defining new parameters (such as "update the specification" or 5570 "use this registry"). 5572 o Authentication schemes need to document whether they are usable in 5573 origin-server authentication (i.e., using WWW-Authenticate), and/ 5574 or proxy authentication (i.e., using Proxy-Authenticate). 5576 o The credentials carried in an Authorization header field are 5577 specific to the user agent and, therefore, have the same effect on 5578 HTTP caches as the "private" Cache-Control response directive 5579 (Section 5.2.2.7 of [Caching]), within the scope of the request in 5580 which they appear. 5582 Therefore, new authentication schemes that choose not to carry 5583 credentials in the Authorization header field (e.g., using a newly 5584 defined header field) will need to explicitly disallow caching, by 5585 mandating the use of Cache-Control response directives (e.g., 5586 "private"). 5588 o Schemes using Authentication-Info, Proxy-Authentication-Info, or 5589 any other authentication related response header field need to 5590 consider and document the related security considerations (see 5591 Section 12.14.4). 5593 9.6. Request Context 5595 The following request header fields provide additional information 5596 about the request context, including information about the user, user 5597 agent, and resource behind the request. 5599 +------------+---------------+ 5600 | Field Name | Defined in... | 5601 +------------+---------------+ 5602 | From | Section 9.6.1 | 5603 | Referer | Section 9.6.2 | 5604 | User-Agent | Section 9.6.3 | 5605 +------------+---------------+ 5607 9.6.1. From 5609 The "From" header field contains an Internet email address for a 5610 human user who controls the requesting user agent. The address ought 5611 to be machine-usable, as defined by "mailbox" in Section 3.4 of 5612 [RFC5322]: 5614 From = mailbox 5616 mailbox = 5618 An example is: 5620 From: webmaster@example.org 5622 The From header field is rarely sent by non-robotic user agents. A 5623 user agent SHOULD NOT send a From header field without explicit 5624 configuration by the user, since that might conflict with the user's 5625 privacy interests or their site's security policy. 5627 A robotic user agent SHOULD send a valid From header field so that 5628 the person responsible for running the robot can be contacted if 5629 problems occur on servers, such as if the robot is sending excessive, 5630 unwanted, or invalid requests. 5632 A server SHOULD NOT use the From header field for access control or 5633 authentication, since most recipients will assume that the field 5634 value is public information. 5636 9.6.2. Referer 5638 The "Referer" [sic] header field allows the user agent to specify a 5639 URI reference for the resource from which the target URI was obtained 5640 (i.e., the "referrer", though the field name is misspelled). A user 5641 agent MUST NOT include the fragment and userinfo components of the 5642 URI reference [RFC3986], if any, when generating the Referer field 5643 value. 5645 Referer = absolute-URI / partial-URI 5647 The field value is either an absolute-URI or a partial-URI. In the 5648 latter case (Section 2.4), the referenced URI is relative to the 5649 target URI ([RFC3986], Section 5). 5651 The Referer header field allows servers to generate back-links to 5652 other resources for simple analytics, logging, optimized caching, 5653 etc. It also allows obsolete or mistyped links to be found for 5654 maintenance. Some servers use the Referer header field as a means of 5655 denying links from other sites (so-called "deep linking") or 5656 restricting cross-site request forgery (CSRF), but not all requests 5657 contain it. 5659 Example: 5661 Referer: http://www.example.org/hypertext/Overview.html 5663 If the target URI was obtained from a source that does not have its 5664 own URI (e.g., input from the user keyboard, or an entry within the 5665 user's bookmarks/favorites), the user agent MUST either exclude the 5666 Referer field or send it with a value of "about:blank". 5668 The Referer field has the potential to reveal information about the 5669 request context or browsing history of the user, which is a privacy 5670 concern if the referring resource's identifier reveals personal 5671 information (such as an account name) or a resource that is supposed 5672 to be confidential (such as behind a firewall or internal to a 5673 secured service). Most general-purpose user agents do not send the 5674 Referer header field when the referring resource is a local "file" or 5675 "data" URI. A user agent MUST NOT send a Referer header field in an 5676 unsecured HTTP request if the referring page was received with a 5677 secure protocol. See Section 12.8 for additional security 5678 considerations. 5680 Some intermediaries have been known to indiscriminately remove 5681 Referer header fields from outgoing requests. This has the 5682 unfortunate side effect of interfering with protection against CSRF 5683 attacks, which can be far more harmful to their users. 5684 Intermediaries and user agent extensions that wish to limit 5685 information disclosure in Referer ought to restrict their changes to 5686 specific edits, such as replacing internal domain names with 5687 pseudonyms or truncating the query and/or path components. An 5688 intermediary SHOULD NOT modify or delete the Referer header field 5689 when the field value shares the same scheme and host as the target 5690 URI. 5692 9.6.3. User-Agent 5694 The "User-Agent" header field contains information about the user 5695 agent originating the request, which is often used by servers to help 5696 identify the scope of reported interoperability problems, to work 5697 around or tailor responses to avoid particular user agent 5698 limitations, and for analytics regarding browser or operating system 5699 use. A user agent SHOULD send a User-Agent field in each request 5700 unless specifically configured not to do so. 5702 User-Agent = product *( RWS ( product / comment ) ) 5704 The User-Agent field value consists of one or more product 5705 identifiers, each followed by zero or more comments 5706 (Section 5.4.1.3), which together identify the user agent software 5707 and its significant subproducts. By convention, the product 5708 identifiers are listed in decreasing order of their significance for 5709 identifying the user agent software. Each product identifier 5710 consists of a name and optional version. 5712 product = token ["/" product-version] 5713 product-version = token 5715 A sender SHOULD limit generated product identifiers to what is 5716 necessary to identify the product; a sender MUST NOT generate 5717 advertising or other nonessential information within the product 5718 identifier. A sender SHOULD NOT generate information in product- 5719 version that is not a version identifier (i.e., successive versions 5720 of the same product name ought to differ only in the product-version 5721 portion of the product identifier). 5723 Example: 5725 User-Agent: CERN-LineMode/2.15 libwww/2.17b3 5727 A user agent SHOULD NOT generate a User-Agent field containing 5728 needlessly fine-grained detail and SHOULD limit the addition of 5729 subproducts by third parties. Overly long and detailed User-Agent 5730 field values increase request latency and the risk of a user being 5731 identified against their wishes ("fingerprinting"). 5733 Likewise, implementations are encouraged not to use the product 5734 tokens of other implementations in order to declare compatibility 5735 with them, as this circumvents the purpose of the field. If a user 5736 agent masquerades as a different user agent, recipients can assume 5737 that the user intentionally desires to see responses tailored for 5738 that identified user agent, even if they might not work as well for 5739 the actual user agent being used. 5741 10. Response Status Codes 5743 The (response) status code is a three-digit integer code giving the 5744 result of the attempt to understand and satisfy the request. 5746 HTTP status codes are extensible. HTTP clients are not required to 5747 understand the meaning of all registered status codes, though such 5748 understanding is obviously desirable. However, a client MUST 5749 understand the class of any status code, as indicated by the first 5750 digit, and treat an unrecognized status code as being equivalent to 5751 the x00 status code of that class. 5753 For example, if an unrecognized status code of 471 is received by a 5754 client, the client can assume that there was something wrong with its 5755 request and treat the response as if it had received a 400 (Bad 5756 Request) status code. The response message will usually contain a 5757 representation that explains the status. 5759 The first digit of the status code defines the class of response. 5760 The last two digits do not have any categorization role. There are 5761 five values for the first digit: 5763 o 1xx (Informational): The request was received, continuing process 5765 o 2xx (Successful): The request was successfully received, 5766 understood, and accepted 5768 o 3xx (Redirection): Further action needs to be taken in order to 5769 complete the request 5771 o 4xx (Client Error): The request contains bad syntax or cannot be 5772 fulfilled 5774 o 5xx (Server Error): The server failed to fulfill an apparently 5775 valid request 5777 A single request can have multiple associated responses: zero or more 5778 interim (non-final) responses with status codes in the 5779 "informational" (1xx) range, followed by exactly one final response 5780 with a status code in one of the other ranges. 5782 10.1. Overview of Status Codes 5784 The status codes listed below are defined in this specification. The 5785 reason phrases listed here are only recommendations -- they can be 5786 replaced by local equivalents without affecting the protocol. 5788 Responses with status codes that are defined as heuristically 5789 cacheable (e.g., 200, 203, 204, 206, 300, 301, 308, 404, 405, 410, 5790 414, and 501 in this specification) can be reused by a cache with 5791 heuristic expiration unless otherwise indicated by the method 5792 definition or explicit cache controls [Caching]; all other status 5793 codes are not heuristically cacheable. 5795 +-------+-------------------------------+------------------+ 5796 | Value | Description | Reference | 5797 +-------+-------------------------------+------------------+ 5798 | 100 | Continue | Section 10.2.1 | 5799 | 101 | Switching Protocols | Section 10.2.2 | 5800 | 200 | OK | Section 10.3.1 | 5801 | 201 | Created | Section 10.3.2 | 5802 | 202 | Accepted | Section 10.3.3 | 5803 | 203 | Non-Authoritative Information | Section 10.3.4 | 5804 | 204 | No Content | Section 10.3.5 | 5805 | 205 | Reset Content | Section 10.3.6 | 5806 | 206 | Partial Content | Section 10.3.7 | 5807 | 300 | Multiple Choices | Section 10.4.1 | 5808 | 301 | Moved Permanently | Section 10.4.2 | 5809 | 302 | Found | Section 10.4.3 | 5810 | 303 | See Other | Section 10.4.4 | 5811 | 304 | Not Modified | Section 10.4.5 | 5812 | 305 | Use Proxy | Section 10.4.6 | 5813 | 306 | (Unused) | Section 10.4.7 | 5814 | 307 | Temporary Redirect | Section 10.4.8 | 5815 | 308 | Permanent Redirect | Section 10.4.9 | 5816 | 400 | Bad Request | Section 10.5.1 | 5817 | 401 | Unauthorized | Section 10.5.2 | 5818 | 402 | Payment Required | Section 10.5.3 | 5819 | 403 | Forbidden | Section 10.5.4 | 5820 | 404 | Not Found | Section 10.5.5 | 5821 | 405 | Method Not Allowed | Section 10.5.6 | 5822 | 406 | Not Acceptable | Section 10.5.7 | 5823 | 407 | Proxy Authentication Required | Section 10.5.8 | 5824 | 408 | Request Timeout | Section 10.5.9 | 5825 | 409 | Conflict | Section 10.5.10 | 5826 | 410 | Gone | Section 10.5.11 | 5827 | 411 | Length Required | Section 10.5.12 | 5828 | 412 | Precondition Failed | Section 10.5.13 | 5829 | 413 | Payload Too Large | Section 10.5.14 | 5830 | 414 | URI Too Long | Section 10.5.15 | 5831 | 415 | Unsupported Media Type | Section 10.5.16 | 5832 | 416 | Range Not Satisfiable | Section 10.5.17 | 5833 | 417 | Expectation Failed | Section 10.5.18 | 5834 | 418 | (Unused) | Section 10.5.19 | 5835 | 422 | Unprocessable Payload | Section 10.5.20 | 5836 | 426 | Upgrade Required | Section 10.5.21 | 5837 | 500 | Internal Server Error | Section 10.6.1 | 5838 | 501 | Not Implemented | Section 10.6.2 | 5839 | 502 | Bad Gateway | Section 10.6.3 | 5840 | 503 | Service Unavailable | Section 10.6.4 | 5841 | 504 | Gateway Timeout | Section 10.6.5 | 5842 | 505 | HTTP Version Not Supported | Section 10.6.6 | 5843 +-------+-------------------------------+------------------+ 5845 Table 6 5847 Note that this list is not exhaustive -- it does not include 5848 extension status codes defined in other specifications 5849 (Section 10.7). 5851 10.2. Informational 1xx 5853 The 1xx (Informational) class of status code indicates an interim 5854 response for communicating connection status or request progress 5855 prior to completing the requested action and sending a final 5856 response. 1xx responses are terminated by the end of the header 5857 section. Since HTTP/1.0 did not define any 1xx status codes, a 5858 server MUST NOT send a 1xx response to an HTTP/1.0 client. 5860 A client MUST be able to parse one or more 1xx responses received 5861 prior to a final response, even if the client does not expect one. A 5862 user agent MAY ignore unexpected 1xx responses. 5864 A proxy MUST forward 1xx responses unless the proxy itself requested 5865 the generation of the 1xx response. For example, if a proxy adds an 5866 "Expect: 100-continue" field when it forwards a request, then it need 5867 not forward the corresponding 100 (Continue) response(s). 5869 10.2.1. 100 Continue 5871 The 100 (Continue) status code indicates that the initial part of a 5872 request has been received and has not yet been rejected by the 5873 server. The server intends to send a final response after the 5874 request has been fully received and acted upon. 5876 When the request contains an Expect header field that includes a 5877 100-continue expectation, the 100 response indicates that the server 5878 wishes to receive the request payload body, as described in 5879 Section 9.1.1. The client ought to continue sending the request and 5880 discard the 100 response. 5882 If the request did not contain an Expect header field containing the 5883 100-continue expectation, the client can simply discard this interim 5884 response. 5886 10.2.2. 101 Switching Protocols 5888 The 101 (Switching Protocols) status code indicates that the server 5889 understands and is willing to comply with the client's request, via 5890 the Upgrade header field (Section 9.9 of [Messaging]), for a change 5891 in the application protocol being used on this connection. The 5892 server MUST generate an Upgrade header field in the response that 5893 indicates which protocol(s) will be switched to immediately after the 5894 empty line that terminates the 101 response. 5896 It is assumed that the server will only agree to switch protocols 5897 when it is advantageous to do so. For example, switching to a newer 5898 version of HTTP might be advantageous over older versions, and 5899 switching to a real-time, synchronous protocol might be advantageous 5900 when delivering resources that use such features. 5902 10.3. Successful 2xx 5904 The 2xx (Successful) class of status code indicates that the client's 5905 request was successfully received, understood, and accepted. 5907 10.3.1. 200 OK 5909 The 200 (OK) status code indicates that the request has succeeded. 5910 The payload sent in a 200 response depends on the request method. 5911 For the methods defined by this specification, the intended meaning 5912 of the payload can be summarized as: 5914 GET a representation of the target resource; 5915 HEAD the same representation as GET, but without the representation 5916 data; 5918 POST a representation of the status of, or results obtained from, 5919 the action; 5921 PUT, DELETE a representation of the status of the action; 5923 OPTIONS a representation of the communications options; 5925 TRACE a representation of the request message as received by the end 5926 server. 5928 Aside from responses to CONNECT, a 200 response always has a payload, 5929 though an origin server MAY generate a payload body of zero length. 5930 If no payload is desired, an origin server ought to send 204 (No 5931 Content) instead. For CONNECT, no payload is allowed because the 5932 successful result is a tunnel, which begins immediately after the 200 5933 response header section. 5935 A 200 response is heuristically cacheable; i.e., unless otherwise 5936 indicated by the method definition or explicit cache controls (see 5937 Section 4.2.2 of [Caching]). 5939 10.3.2. 201 Created 5941 The 201 (Created) status code indicates that the request has been 5942 fulfilled and has resulted in one or more new resources being 5943 created. The primary resource created by the request is identified 5944 by either a Location header field in the response or, if no Location 5945 field is received, by the target URI. 5947 The 201 response payload typically describes and links to the 5948 resource(s) created. See Section 11.2 for a discussion of the 5949 meaning and purpose of validator header fields, such as ETag and 5950 Last-Modified, in a 201 response. 5952 10.3.3. 202 Accepted 5954 The 202 (Accepted) status code indicates that the request has been 5955 accepted for processing, but the processing has not been completed. 5956 The request might or might not eventually be acted upon, as it might 5957 be disallowed when processing actually takes place. There is no 5958 facility in HTTP for re-sending a status code from an asynchronous 5959 operation. 5961 The 202 response is intentionally noncommittal. Its purpose is to 5962 allow a server to accept a request for some other process (perhaps a 5963 batch-oriented process that is only run once per day) without 5964 requiring that the user agent's connection to the server persist 5965 until the process is completed. The representation sent with this 5966 response ought to describe the request's current status and point to 5967 (or embed) a status monitor that can provide the user with an 5968 estimate of when the request will be fulfilled. 5970 10.3.4. 203 Non-Authoritative Information 5972 The 203 (Non-Authoritative Information) status code indicates that 5973 the request was successful but the enclosed payload has been modified 5974 from that of the origin server's 200 (OK) response by a transforming 5975 proxy (Section 6.7.2). This status code allows the proxy to notify 5976 recipients when a transformation has been applied, since that 5977 knowledge might impact later decisions regarding the content. For 5978 example, future cache validation requests for the content might only 5979 be applicable along the same request path (through the same proxies). 5981 The 203 response is similar to the Warning code of 214 Transformation 5982 Applied (Section 5.5 of [Caching]), which has the advantage of being 5983 applicable to responses with any status code. 5985 A 203 response is heuristically cacheable; i.e., unless otherwise 5986 indicated by the method definition or explicit cache controls (see 5987 Section 4.2.2 of [Caching]). 5989 10.3.5. 204 No Content 5991 The 204 (No Content) status code indicates that the server has 5992 successfully fulfilled the request and that there is no additional 5993 content to send in the response payload body. Metadata in the 5994 response header fields refer to the target resource and its selected 5995 representation after the requested action was applied. 5997 For example, if a 204 status code is received in response to a PUT 5998 request and the response contains an ETag field, then the PUT was 5999 successful and the ETag field value contains the entity-tag for the 6000 new representation of that target resource. 6002 The 204 response allows a server to indicate that the action has been 6003 successfully applied to the target resource, while implying that the 6004 user agent does not need to traverse away from its current "document 6005 view" (if any). The server assumes that the user agent will provide 6006 some indication of the success to its user, in accord with its own 6007 interface, and apply any new or updated metadata in the response to 6008 its active representation. 6010 For example, a 204 status code is commonly used with document editing 6011 interfaces corresponding to a "save" action, such that the document 6012 being saved remains available to the user for editing. It is also 6013 frequently used with interfaces that expect automated data transfers 6014 to be prevalent, such as within distributed version control systems. 6016 A 204 response is terminated by the first empty line after the header 6017 fields because it cannot contain a message body. 6019 A 204 response is heuristically cacheable; i.e., unless otherwise 6020 indicated by the method definition or explicit cache controls (see 6021 Section 4.2.2 of [Caching]). 6023 10.3.6. 205 Reset Content 6025 The 205 (Reset Content) status code indicates that the server has 6026 fulfilled the request and desires that the user agent reset the 6027 "document view", which caused the request to be sent, to its original 6028 state as received from the origin server. 6030 This response is intended to support a common data entry use case 6031 where the user receives content that supports data entry (a form, 6032 notepad, canvas, etc.), enters or manipulates data in that space, 6033 causes the entered data to be submitted in a request, and then the 6034 data entry mechanism is reset for the next entry so that the user can 6035 easily initiate another input action. 6037 Since the 205 status code implies that no additional content will be 6038 provided, a server MUST NOT generate a payload in a 205 response. 6040 10.3.7. 206 Partial Content 6042 The 206 (Partial Content) status code indicates that the server is 6043 successfully fulfilling a range request for the target resource by 6044 transferring one or more parts of the selected representation. 6046 When a 206 response is generated, the server MUST generate the 6047 following header fields, in addition to those required in the 6048 subsections below, if the field would have been sent in a 200 (OK) 6049 response to the same request: Date, Cache-Control, ETag, Expires, 6050 Content-Location, and Vary. 6052 If a 206 is generated in response to a request with an If-Range 6053 header field, the sender SHOULD NOT generate other representation 6054 header fields beyond those required, because the client is understood 6055 to already have a prior response containing those header fields. 6056 Otherwise, the sender MUST generate all of the representation header 6057 fields that would have been sent in a 200 (OK) response to the same 6058 request. 6060 A 206 response is heuristically cacheable; i.e., unless otherwise 6061 indicated by explicit cache controls (see Section 4.2.2 of 6062 [Caching]). 6064 10.3.7.1. Single Part 6066 If a single part is being transferred, the server generating the 206 6067 response MUST generate a Content-Range header field, describing what 6068 range of the selected representation is enclosed, and a payload 6069 consisting of the range. For example: 6071 HTTP/1.1 206 Partial Content 6072 Date: Wed, 15 Nov 1995 06:25:24 GMT 6073 Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT 6074 Content-Range: bytes 21010-47021/47022 6075 Content-Length: 26012 6076 Content-Type: image/gif 6078 ... 26012 bytes of partial image data ... 6080 10.3.7.2. Multiple Parts 6082 If multiple parts are being transferred, the server generating the 6083 206 response MUST generate a "multipart/byteranges" payload, as 6084 defined in Section 7.3.5, and a Content-Type header field containing 6085 the multipart/byteranges media type and its required boundary 6086 parameter. To avoid confusion with single-part responses, a server 6087 MUST NOT generate a Content-Range header field in the HTTP header 6088 section of a multiple part response (this field will be sent in each 6089 part instead). 6091 Within the header area of each body part in the multipart payload, 6092 the server MUST generate a Content-Range header field corresponding 6093 to the range being enclosed in that body part. If the selected 6094 representation would have had a Content-Type header field in a 200 6095 (OK) response, the server SHOULD generate that same Content-Type 6096 field in the header area of each body part. For example: 6098 HTTP/1.1 206 Partial Content 6099 Date: Wed, 15 Nov 1995 06:25:24 GMT 6100 Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT 6101 Content-Length: 1741 6102 Content-Type: multipart/byteranges; boundary=THIS_STRING_SEPARATES 6104 --THIS_STRING_SEPARATES 6105 Content-Type: application/pdf 6106 Content-Range: bytes 500-999/8000 6108 ...the first range... 6109 --THIS_STRING_SEPARATES 6110 Content-Type: application/pdf 6111 Content-Range: bytes 7000-7999/8000 6113 ...the second range 6114 --THIS_STRING_SEPARATES-- 6116 When multiple ranges are requested, a server MAY coalesce any of the 6117 ranges that overlap, or that are separated by a gap that is smaller 6118 than the overhead of sending multiple parts, regardless of the order 6119 in which the corresponding range-spec appeared in the received Range 6120 header field. Since the typical overhead between parts of a 6121 multipart/byteranges payload is around 80 bytes, depending on the 6122 selected representation's media type and the chosen boundary 6123 parameter length, it can be less efficient to transfer many small 6124 disjoint parts than it is to transfer the entire selected 6125 representation. 6127 A server MUST NOT generate a multipart response to a request for a 6128 single range, since a client that does not request multiple parts 6129 might not support multipart responses. However, a server MAY 6130 generate a multipart/byteranges payload with only a single body part 6131 if multiple ranges were requested and only one range was found to be 6132 satisfiable or only one range remained after coalescing. A client 6133 that cannot process a multipart/byteranges response MUST NOT generate 6134 a request that asks for multiple ranges. 6136 When a multipart response payload is generated, the server SHOULD 6137 send the parts in the same order that the corresponding range-spec 6138 appeared in the received Range header field, excluding those ranges 6139 that were deemed unsatisfiable or that were coalesced into other 6140 ranges. A client that receives a multipart response MUST inspect the 6141 Content-Range header field present in each body part in order to 6142 determine which range is contained in that body part; a client cannot 6143 rely on receiving the same ranges that it requested, nor the same 6144 order that it requested. 6146 10.3.7.3. Combining Parts 6148 A response might transfer only a subrange of a representation if the 6149 connection closed prematurely or if the request used one or more 6150 Range specifications. After several such transfers, a client might 6151 have received several ranges of the same representation. These 6152 ranges can only be safely combined if they all have in common the 6153 same strong validator (Section 11.2.1). 6155 A client that has received multiple partial responses to GET requests 6156 on a target resource MAY combine those responses into a larger 6157 continuous range if they share the same strong validator. 6159 If the most recent response is an incomplete 200 (OK) response, then 6160 the header fields of that response are used for any combined response 6161 and replace those of the matching stored responses. 6163 If the most recent response is a 206 (Partial Content) response and 6164 at least one of the matching stored responses is a 200 (OK), then the 6165 combined response header fields consist of the most recent 200 6166 response's header fields. If all of the matching stored responses 6167 are 206 responses, then the stored response with the most recent 6168 header fields is used as the source of header fields for the combined 6169 response, except that the client MUST use other header fields 6170 provided in the new response, aside from Content-Range, to replace 6171 all instances of the corresponding header fields in the stored 6172 response. 6174 The combined response message body consists of the union of partial 6175 content ranges in the new response and each of the selected 6176 responses. If the union consists of the entire range of the 6177 representation, then the client MUST process the combined response as 6178 if it were a complete 200 (OK) response, including a Content-Length 6179 header field that reflects the complete length. Otherwise, the 6180 client MUST process the set of continuous ranges as one of the 6181 following: an incomplete 200 (OK) response if the combined response 6182 is a prefix of the representation, a single 206 (Partial Content) 6183 response containing a multipart/byteranges body, or multiple 206 6184 (Partial Content) responses, each with one continuous range that is 6185 indicated by a Content-Range header field. 6187 10.4. Redirection 3xx 6189 The 3xx (Redirection) class of status code indicates that further 6190 action needs to be taken by the user agent in order to fulfill the 6191 request. If a Location header field (Section 11.1.2) is provided, 6192 the user agent MAY automatically redirect its request to the URI 6193 referenced by the Location field value, even if the specific status 6194 code is not understood. Automatic redirection needs to be done with 6195 care for methods not known to be safe, as defined in Section 8.2.1, 6196 since the user might not wish to redirect an unsafe request. 6198 There are several types of redirects: 6200 1. Redirects that indicate the resource might be available at a 6201 different URI, as provided by the Location field, as in the 6202 status codes 301 (Moved Permanently), 302 (Found), 307 (Temporary 6203 Redirect), and 308 (Permanent Redirect). 6205 2. Redirection that offers a choice of matching resources, each 6206 capable of representing the original target resource, as in the 6207 300 (Multiple Choices) status code. 6209 3. Redirection to a different resource, identified by the Location 6210 field, that can represent an indirect response to the request, as 6211 in the 303 (See Other) status code. 6213 4. Redirection to a previously cached result, as in the 304 (Not 6214 Modified) status code. 6216 Note: In HTTP/1.0, the status codes 301 (Moved Permanently) and 6217 302 (Found) were defined for the first type of redirect 6218 ([RFC1945], Section 9.3). Early user agents split on whether the 6219 method applied to the redirect target would be the same as the 6220 original request or would be rewritten as GET. Although HTTP 6221 originally defined the former semantics for 301 and 302 (to match 6222 its original implementation at CERN), and defined 303 (See Other) 6223 to match the latter semantics, prevailing practice gradually 6224 converged on the latter semantics for 301 and 302 as well. The 6225 first revision of HTTP/1.1 added 307 (Temporary Redirect) to 6226 indicate the former semantics of 302 without being impacted by 6227 divergent practice. For the same reason, 308 (Permanent Redirect) 6228 was later on added in [RFC7538] to match 301. Over 10 years 6229 later, most user agents still do method rewriting for 301 and 302; 6230 therefore, [RFC7231] made that behavior conformant when the 6231 original request is POST. 6233 A client SHOULD detect and intervene in cyclical redirections (i.e., 6234 "infinite" redirection loops). 6236 Note: An earlier version of this specification recommended a 6237 maximum of five redirections ([RFC2068], Section 10.3). Content 6238 developers need to be aware that some clients might implement such 6239 a fixed limitation. 6241 10.4.1. 300 Multiple Choices 6243 The 300 (Multiple Choices) status code indicates that the target 6244 resource has more than one representation, each with its own more 6245 specific identifier, and information about the alternatives is being 6246 provided so that the user (or user agent) can select a preferred 6247 representation by redirecting its request to one or more of those 6248 identifiers. In other words, the server desires that the user agent 6249 engage in reactive negotiation to select the most appropriate 6250 representation(s) for its needs (Section 7.4). 6252 If the server has a preferred choice, the server SHOULD generate a 6253 Location header field containing a preferred choice's URI reference. 6254 The user agent MAY use the Location field value for automatic 6255 redirection. 6257 For request methods other than HEAD, the server SHOULD generate a 6258 payload in the 300 response containing a list of representation 6259 metadata and URI reference(s) from which the user or user agent can 6260 choose the one most preferred. The user agent MAY make a selection 6261 from that list automatically if it understands the provided media 6262 type. A specific format for automatic selection is not defined by 6263 this specification because HTTP tries to remain orthogonal to the 6264 definition of its payloads. In practice, the representation is 6265 provided in some easily parsed format believed to be acceptable to 6266 the user agent, as determined by shared design or content 6267 negotiation, or in some commonly accepted hypertext format. 6269 A 300 response is heuristically cacheable; i.e., unless otherwise 6270 indicated by the method definition or explicit cache controls (see 6271 Section 4.2.2 of [Caching]). 6273 Note: The original proposal for the 300 status code defined the 6274 URI header field as providing a list of alternative 6275 representations, such that it would be usable for 200, 300, and 6276 406 responses and be transferred in responses to the HEAD method. 6277 However, lack of deployment and disagreement over syntax led to 6278 both URI and Alternates (a subsequent proposal) being dropped from 6279 this specification. It is possible to communicate the list as a 6280 Link header field value [RFC8288] whose members have a 6281 relationship of "alternate", though deployment is a chicken-and- 6282 egg problem. 6284 10.4.2. 301 Moved Permanently 6286 The 301 (Moved Permanently) status code indicates that the target 6287 resource has been assigned a new permanent URI and any future 6288 references to this resource ought to use one of the enclosed URIs. 6289 Clients with link-editing capabilities ought to automatically re-link 6290 references to the target URI to one or more of the new references 6291 sent by the server, where possible. 6293 The server SHOULD generate a Location header field in the response 6294 containing a preferred URI reference for the new permanent URI. The 6295 user agent MAY use the Location field value for automatic 6296 redirection. The server's response payload usually contains a short 6297 hypertext note with a hyperlink to the new URI(s). 6299 Note: For historical reasons, a user agent MAY change the request 6300 method from POST to GET for the subsequent request. If this 6301 behavior is undesired, the 308 (Permanent Redirect) status code 6302 can be used instead. 6304 A 301 response is heuristically cacheable; i.e., unless otherwise 6305 indicated by the method definition or explicit cache controls (see 6306 Section 4.2.2 of [Caching]). 6308 10.4.3. 302 Found 6310 The 302 (Found) status code indicates that the target resource 6311 resides temporarily under a different URI. Since the redirection 6312 might be altered on occasion, the client ought to continue to use the 6313 target URI for future requests. 6315 The server SHOULD generate a Location header field in the response 6316 containing a URI reference for the different URI. The user agent MAY 6317 use the Location field value for automatic redirection. The server's 6318 response payload usually contains a short hypertext note with a 6319 hyperlink to the different URI(s). 6321 Note: For historical reasons, a user agent MAY change the request 6322 method from POST to GET for the subsequent request. If this 6323 behavior is undesired, the 307 (Temporary Redirect) status code 6324 can be used instead. 6326 10.4.4. 303 See Other 6328 The 303 (See Other) status code indicates that the server is 6329 redirecting the user agent to a different resource, as indicated by a 6330 URI in the Location header field, which is intended to provide an 6331 indirect response to the original request. A user agent can perform 6332 a retrieval request targeting that URI (a GET or HEAD request if 6333 using HTTP), which might also be redirected, and present the eventual 6334 result as an answer to the original request. Note that the new URI 6335 in the Location header field is not considered equivalent to the 6336 target URI. 6338 This status code is applicable to any HTTP method. It is primarily 6339 used to allow the output of a POST action to redirect the user agent 6340 to a selected resource, since doing so provides the information 6341 corresponding to the POST response in a form that can be separately 6342 identified, bookmarked, and cached, independent of the original 6343 request. 6345 A 303 response to a GET request indicates that the origin server does 6346 not have a representation of the target resource that can be 6347 transferred by the server over HTTP. However, the Location field 6348 value refers to a resource that is descriptive of the target 6349 resource, such that making a retrieval request on that other resource 6350 might result in a representation that is useful to recipients without 6351 implying that it represents the original target resource. Note that 6352 answers to the questions of what can be represented, what 6353 representations are adequate, and what might be a useful description 6354 are outside the scope of HTTP. 6356 Except for responses to a HEAD request, the representation of a 303 6357 response ought to contain a short hypertext note with a hyperlink to 6358 the same URI reference provided in the Location header field. 6360 10.4.5. 304 Not Modified 6362 The 304 (Not Modified) status code indicates that a conditional GET 6363 or HEAD request has been received and would have resulted in a 200 6364 (OK) response if it were not for the fact that the condition 6365 evaluated to false. In other words, there is no need for the server 6366 to transfer a representation of the target resource because the 6367 request indicates that the client, which made the request 6368 conditional, already has a valid representation; the server is 6369 therefore redirecting the client to make use of that stored 6370 representation as if it were the payload of a 200 (OK) response. 6372 The server generating a 304 response MUST generate any of the 6373 following header fields that would have been sent in a 200 (OK) 6374 response to the same request: Cache-Control, Content-Location, Date, 6375 ETag, Expires, and Vary. 6377 Since the goal of a 304 response is to minimize information transfer 6378 when the recipient already has one or more cached representations, a 6379 sender SHOULD NOT generate representation metadata other than the 6380 above listed fields unless said metadata exists for the purpose of 6381 guiding cache updates (e.g., Last-Modified might be useful if the 6382 response does not have an ETag field). 6384 Requirements on a cache that receives a 304 response are defined in 6385 Section 4.3.4 of [Caching]. If the conditional request originated 6386 with an outbound client, such as a user agent with its own cache 6387 sending a conditional GET to a shared proxy, then the proxy SHOULD 6388 forward the 304 response to that client. 6390 A 304 response cannot contain a message-body; it is always terminated 6391 by the first empty line after the header fields. 6393 10.4.6. 305 Use Proxy 6395 The 305 (Use Proxy) status code was defined in a previous version of 6396 this specification and is now deprecated (Appendix B of [RFC7231]). 6398 10.4.7. 306 (Unused) 6400 The 306 status code was defined in a previous version of this 6401 specification, is no longer used, and the code is reserved. 6403 10.4.8. 307 Temporary Redirect 6405 The 307 (Temporary Redirect) status code indicates that the target 6406 resource resides temporarily under a different URI and the user agent 6407 MUST NOT change the request method if it performs an automatic 6408 redirection to that URI. Since the redirection can change over time, 6409 the client ought to continue using the original target URI for future 6410 requests. 6412 The server SHOULD generate a Location header field in the response 6413 containing a URI reference for the different URI. The user agent MAY 6414 use the Location field value for automatic redirection. The server's 6415 response payload usually contains a short hypertext note with a 6416 hyperlink to the different URI(s). 6418 10.4.9. 308 Permanent Redirect 6420 The 308 (Permanent Redirect) status code indicates that the target 6421 resource has been assigned a new permanent URI and any future 6422 references to this resource ought to use one of the enclosed URIs. 6423 Clients with link editing capabilities ought to automatically re-link 6424 references to the target URI to one or more of the new references 6425 sent by the server, where possible. 6427 The server SHOULD generate a Location header field in the response 6428 containing a preferred URI reference for the new permanent URI. The 6429 user agent MAY use the Location field value for automatic 6430 redirection. The server's response payload usually contains a short 6431 hypertext note with a hyperlink to the new URI(s). 6433 A 308 response is heuristically cacheable; i.e., unless otherwise 6434 indicated by the method definition or explicit cache controls (see 6435 Section 4.2.2 of [Caching]). 6437 Note: This status code is much younger (June 2014) than its 6438 sibling codes, and thus might not be recognized everywhere. See 6439 Section 4 of [RFC7538] for deployment considerations. 6441 10.5. Client Error 4xx 6443 The 4xx (Client Error) class of status code indicates that the client 6444 seems to have erred. Except when responding to a HEAD request, the 6445 server SHOULD send a representation containing an explanation of the 6446 error situation, and whether it is a temporary or permanent 6447 condition. These status codes are applicable to any request method. 6448 User agents SHOULD display any included representation to the user. 6450 10.5.1. 400 Bad Request 6452 The 400 (Bad Request) status code indicates that the server cannot or 6453 will not process the request due to something that is perceived to be 6454 a client error (e.g., malformed request syntax, invalid request 6455 message framing, or deceptive request routing). 6457 10.5.2. 401 Unauthorized 6459 The 401 (Unauthorized) status code indicates that the request has not 6460 been applied because it lacks valid authentication credentials for 6461 the target resource. The server generating a 401 response MUST send 6462 a WWW-Authenticate header field (Section 11.3.1) containing at least 6463 one challenge applicable to the target resource. 6465 If the request included authentication credentials, then the 401 6466 response indicates that authorization has been refused for those 6467 credentials. The user agent MAY repeat the request with a new or 6468 replaced Authorization header field (Section 9.5.3). If the 401 6469 response contains the same challenge as the prior response, and the 6470 user agent has already attempted authentication at least once, then 6471 the user agent SHOULD present the enclosed representation to the 6472 user, since it usually contains relevant diagnostic information. 6474 10.5.3. 402 Payment Required 6476 The 402 (Payment Required) status code is reserved for future use. 6478 10.5.4. 403 Forbidden 6480 The 403 (Forbidden) status code indicates that the server understood 6481 the request but refuses to fulfill it. A server that wishes to make 6482 public why the request has been forbidden can describe that reason in 6483 the response payload (if any). 6485 If authentication credentials were provided in the request, the 6486 server considers them insufficient to grant access. The client 6487 SHOULD NOT automatically repeat the request with the same 6488 credentials. The client MAY repeat the request with new or different 6489 credentials. However, a request might be forbidden for reasons 6490 unrelated to the credentials. 6492 An origin server that wishes to "hide" the current existence of a 6493 forbidden target resource MAY instead respond with a status code of 6494 404 (Not Found). 6496 10.5.5. 404 Not Found 6498 The 404 (Not Found) status code indicates that the origin server did 6499 not find a current representation for the target resource or is not 6500 willing to disclose that one exists. A 404 status code does not 6501 indicate whether this lack of representation is temporary or 6502 permanent; the 410 (Gone) status code is preferred over 404 if the 6503 origin server knows, presumably through some configurable means, that 6504 the condition is likely to be permanent. 6506 A 404 response is heuristically cacheable; i.e., unless otherwise 6507 indicated by the method definition or explicit cache controls (see 6508 Section 4.2.2 of [Caching]). 6510 10.5.6. 405 Method Not Allowed 6512 The 405 (Method Not Allowed) status code indicates that the method 6513 received in the request-line is known by the origin server but not 6514 supported by the target resource. The origin server MUST generate an 6515 Allow header field in a 405 response containing a list of the target 6516 resource's currently supported methods. 6518 A 405 response is heuristically cacheable; i.e., unless otherwise 6519 indicated by the method definition or explicit cache controls (see 6520 Section 4.2.2 of [Caching]). 6522 10.5.7. 406 Not Acceptable 6524 The 406 (Not Acceptable) status code indicates that the target 6525 resource does not have a current representation that would be 6526 acceptable to the user agent, according to the proactive negotiation 6527 header fields received in the request (Section 9.4), and the server 6528 is unwilling to supply a default representation. 6530 The server SHOULD generate a payload containing a list of available 6531 representation characteristics and corresponding resource identifiers 6532 from which the user or user agent can choose the one most 6533 appropriate. A user agent MAY automatically select the most 6534 appropriate choice from that list. However, this specification does 6535 not define any standard for such automatic selection, as described in 6536 Section 10.4.1. 6538 10.5.8. 407 Proxy Authentication Required 6540 The 407 (Proxy Authentication Required) status code is similar to 401 6541 (Unauthorized), but it indicates that the client needs to 6542 authenticate itself in order to use a proxy for this request. The 6543 proxy MUST send a Proxy-Authenticate header field (Section 11.3.2) 6544 containing a challenge applicable to that proxy for the request. The 6545 client MAY repeat the request with a new or replaced Proxy- 6546 Authorization header field (Section 9.5.4). 6548 10.5.9. 408 Request Timeout 6550 The 408 (Request Timeout) status code indicates that the server did 6551 not receive a complete request message within the time that it was 6552 prepared to wait. If the client has an outstanding request in 6553 transit, the client MAY repeat that request on a new connection. 6555 10.5.10. 409 Conflict 6557 The 409 (Conflict) status code indicates that the request could not 6558 be completed due to a conflict with the current state of the target 6559 resource. This code is used in situations where the user might be 6560 able to resolve the conflict and resubmit the request. The server 6561 SHOULD generate a payload that includes enough information for a user 6562 to recognize the source of the conflict. 6564 Conflicts are most likely to occur in response to a PUT request. For 6565 example, if versioning were being used and the representation being 6566 PUT included changes to a resource that conflict with those made by 6567 an earlier (third-party) request, the origin server might use a 409 6568 response to indicate that it can't complete the request. In this 6569 case, the response representation would likely contain information 6570 useful for merging the differences based on the revision history. 6572 10.5.11. 410 Gone 6574 The 410 (Gone) status code indicates that access to the target 6575 resource is no longer available at the origin server and that this 6576 condition is likely to be permanent. If the origin server does not 6577 know, or has no facility to determine, whether or not the condition 6578 is permanent, the status code 404 (Not Found) ought to be used 6579 instead. 6581 The 410 response is primarily intended to assist the task of web 6582 maintenance by notifying the recipient that the resource is 6583 intentionally unavailable and that the server owners desire that 6584 remote links to that resource be removed. Such an event is common 6585 for limited-time, promotional services and for resources belonging to 6586 individuals no longer associated with the origin server's site. It 6587 is not necessary to mark all permanently unavailable resources as 6588 "gone" or to keep the mark for any length of time -- that is left to 6589 the discretion of the server owner. 6591 A 410 response is heuristically cacheable; i.e., unless otherwise 6592 indicated by the method definition or explicit cache controls (see 6593 Section 4.2.2 of [Caching]). 6595 10.5.12. 411 Length Required 6597 The 411 (Length Required) status code indicates that the server 6598 refuses to accept the request without a defined Content-Length 6599 (Section 7.2.4). The client MAY repeat the request if it adds a 6600 valid Content-Length header field containing the length of the 6601 message body in the request message. 6603 10.5.13. 412 Precondition Failed 6605 The 412 (Precondition Failed) status code indicates that one or more 6606 conditions given in the request header fields evaluated to false when 6607 tested on the server. This response status code allows the client to 6608 place preconditions on the current resource state (its current 6609 representations and metadata) and, thus, prevent the request method 6610 from being applied if the target resource is in an unexpected state. 6612 10.5.14. 413 Payload Too Large 6614 The 413 (Payload Too Large) status code indicates that the server is 6615 refusing to process a request because the request payload is larger 6616 than the server is willing or able to process. The server MAY 6617 terminate the request, if the protocol version in use allows it; 6618 otherwise, the server MAY close the connection. 6620 If the condition is temporary, the server SHOULD generate a Retry- 6621 After header field to indicate that it is temporary and after what 6622 time the client MAY try again. 6624 10.5.15. 414 URI Too Long 6626 The 414 (URI Too Long) status code indicates that the server is 6627 refusing to service the request because the target URI is longer than 6628 the server is willing to interpret. This rare condition is only 6629 likely to occur when a client has improperly converted a POST request 6630 to a GET request with long query information, when the client has 6631 descended into a "black hole" of redirection (e.g., a redirected URI 6632 prefix that points to a suffix of itself) or when the server is under 6633 attack by a client attempting to exploit potential security holes. 6635 A 414 response is heuristically cacheable; i.e., unless otherwise 6636 indicated by the method definition or explicit cache controls (see 6637 Section 4.2.2 of [Caching]). 6639 10.5.16. 415 Unsupported Media Type 6641 The 415 (Unsupported Media Type) status code indicates that the 6642 origin server is refusing to service the request because the payload 6643 is in a format not supported by this method on the target resource. 6645 The format problem might be due to the request's indicated Content- 6646 Type or Content-Encoding, or as a result of inspecting the data 6647 directly. 6649 If the problem was caused by an unsupported content coding, the 6650 Accept-Encoding response header field (Section 9.4.3) ought to be 6651 used to indicate what (if any) content codings would have been 6652 accepted in the request. 6654 On the other hand, if the cause was an unsupported media type, the 6655 Accept response header field (Section 9.4.1) can be used to indicate 6656 what media types would have been accepted in the request. 6658 10.5.17. 416 Range Not Satisfiable 6660 The 416 (Range Not Satisfiable) status code indicates that the set of 6661 ranges in the request's Range header field (Section 9.3) has been 6662 rejected either because none of the requested ranges are satisfiable 6663 or because the client has requested an excessive number of small or 6664 overlapping ranges (a potential denial of service attack). 6666 Each range unit defines what is required for its own range sets to be 6667 satisfiable. For example, Section 7.1.4.2 defines what makes a bytes 6668 range set satisfiable. 6670 When this status code is generated in response to a byte-range 6671 request, the sender SHOULD generate a Content-Range header field 6672 specifying the current length of the selected representation 6673 (Section 7.3.4). 6675 For example: 6677 HTTP/1.1 416 Range Not Satisfiable 6678 Date: Fri, 20 Jan 2012 15:41:54 GMT 6679 Content-Range: bytes */47022 6681 Note: Because servers are free to ignore Range, many 6682 implementations will respond with the entire selected 6683 representation in a 200 (OK) response. That is partly because 6684 most clients are prepared to receive a 200 (OK) to complete the 6685 task (albeit less efficiently) and partly because clients might 6686 not stop making an invalid partial request until they have 6687 received a complete representation. Thus, clients cannot depend 6688 on receiving a 416 (Range Not Satisfiable) response even when it 6689 is most appropriate. 6691 10.5.18. 417 Expectation Failed 6693 The 417 (Expectation Failed) status code indicates that the 6694 expectation given in the request's Expect header field 6695 (Section 9.1.1) could not be met by at least one of the inbound 6696 servers. 6698 10.5.19. 418 (Unused) 6700 [RFC2324] was an April 1 RFC that lampooned the various ways HTTP was 6701 abused; one such abuse was the definition of an application-specific 6702 418 status code. In the intervening years, this status code has been 6703 widely implemented as an "Easter Egg", and therefore is effectively 6704 consumed by this use. 6706 Therefore, the 418 status code is reserved in the IANA HTTP Status 6707 Code Registry. This indicates that the status code cannot be 6708 assigned to other applications currently. If future circumstances 6709 require its use (e.g., exhaustion of 4NN status codes), it can be re- 6710 assigned to another use. 6712 10.5.20. 422 Unprocessable Payload 6714 The 422 (Unprocessable Payload) status code indicates that the server 6715 understands the content type of the request payload (hence a 415 6716 (Unsupported Media Type) status code is inappropriate), and the 6717 syntax of the request payload is correct, but was unable to process 6718 the contained instructions. For example, this status code can be 6719 sent if an XML request payload contains well-formed (i.e., 6720 syntactically correct), but semantically erroneous XML instructions. 6722 10.5.21. 426 Upgrade Required 6724 The 426 (Upgrade Required) status code indicates that the server 6725 refuses to perform the request using the current protocol but might 6726 be willing to do so after the client upgrades to a different 6727 protocol. The server MUST send an Upgrade header field in a 426 6728 response to indicate the required protocol(s) (Section 9.9 of 6729 [Messaging]). 6731 Example: 6733 HTTP/1.1 426 Upgrade Required 6734 Upgrade: HTTP/3.0 6735 Connection: Upgrade 6736 Content-Length: 53 6737 Content-Type: text/plain 6739 This service requires use of the HTTP/3.0 protocol. 6741 10.6. Server Error 5xx 6743 The 5xx (Server Error) class of status code indicates that the server 6744 is aware that it has erred or is incapable of performing the 6745 requested method. Except when responding to a HEAD request, the 6746 server SHOULD send a representation containing an explanation of the 6747 error situation, and whether it is a temporary or permanent 6748 condition. A user agent SHOULD display any included representation 6749 to the user. These response codes are applicable to any request 6750 method. 6752 10.6.1. 500 Internal Server Error 6754 The 500 (Internal Server Error) status code indicates that the server 6755 encountered an unexpected condition that prevented it from fulfilling 6756 the request. 6758 10.6.2. 501 Not Implemented 6760 The 501 (Not Implemented) status code indicates that the server does 6761 not support the functionality required to fulfill the request. This 6762 is the appropriate response when the server does not recognize the 6763 request method and is not capable of supporting it for any resource. 6765 A 501 response is heuristically cacheable; i.e., unless otherwise 6766 indicated by the method definition or explicit cache controls (see 6767 Section 4.2.2 of [Caching]). 6769 10.6.3. 502 Bad Gateway 6771 The 502 (Bad Gateway) status code indicates that the server, while 6772 acting as a gateway or proxy, received an invalid response from an 6773 inbound server it accessed while attempting to fulfill the request. 6775 10.6.4. 503 Service Unavailable 6777 The 503 (Service Unavailable) status code indicates that the server 6778 is currently unable to handle the request due to a temporary overload 6779 or scheduled maintenance, which will likely be alleviated after some 6780 delay. The server MAY send a Retry-After header field 6781 (Section 11.1.3) to suggest an appropriate amount of time for the 6782 client to wait before retrying the request. 6784 Note: The existence of the 503 status code does not imply that a 6785 server has to use it when becoming overloaded. Some servers might 6786 simply refuse the connection. 6788 10.6.5. 504 Gateway Timeout 6790 The 504 (Gateway Timeout) status code indicates that the server, 6791 while acting as a gateway or proxy, did not receive a timely response 6792 from an upstream server it needed to access in order to complete the 6793 request. 6795 10.6.6. 505 HTTP Version Not Supported 6797 The 505 (HTTP Version Not Supported) status code indicates that the 6798 server does not support, or refuses to support, the major version of 6799 HTTP that was used in the request message. The server is indicating 6800 that it is unable or unwilling to complete the request using the same 6801 major version as the client, as described in Section 4.2, other than 6802 with this error message. The server SHOULD generate a representation 6803 for the 505 response that describes why that version is not supported 6804 and what other protocols are supported by that server. 6806 10.7. Status Code Extensibility 6808 Additional status codes, outside the scope of this specification, 6809 have been specified for use in HTTP. All such status codes ought to 6810 be registered within the "Hypertext Transfer Protocol (HTTP) Status 6811 Code Registry". 6813 10.7.1. Status Code Registry 6815 The "Hypertext Transfer Protocol (HTTP) Status Code Registry", 6816 maintained by IANA at , registers status code numbers. 6819 A registration MUST include the following fields: 6821 o Status Code (3 digits) 6823 o Short Description 6825 o Pointer to specification text 6827 Values to be added to the HTTP status code namespace require IETF 6828 Review (see [RFC8126], Section 4.8). 6830 10.7.2. Considerations for New Status Codes 6832 When it is necessary to express semantics for a response that are not 6833 defined by current status codes, a new status code can be registered. 6834 Status codes are generic; they are potentially applicable to any 6835 resource, not just one particular media type, kind of resource, or 6836 application of HTTP. As such, it is preferred that new status codes 6837 be registered in a document that isn't specific to a single 6838 application. 6840 New status codes are required to fall under one of the categories 6841 defined in Section 10. To allow existing parsers to process the 6842 response message, new status codes cannot disallow a payload, 6843 although they can mandate a zero-length payload body. 6845 Proposals for new status codes that are not yet widely deployed ought 6846 to avoid allocating a specific number for the code until there is 6847 clear consensus that it will be registered; instead, early drafts can 6848 use a notation such as "4NN", or "3N0" .. "3N9", to indicate the 6849 class of the proposed status code(s) without consuming a number 6850 prematurely. 6852 The definition of a new status code ought to explain the request 6853 conditions that would cause a response containing that status code 6854 (e.g., combinations of request header fields and/or method(s)) along 6855 with any dependencies on response header fields (e.g., what fields 6856 are required, what fields can modify the semantics, and what field 6857 semantics are further refined when used with the new status code). 6859 By default, a status code applies only to the request corresponding 6860 to the response it occurs within. If a status code applies to a 6861 larger scope of applicability -- for example, all requests to the 6862 resource in question, or all requests to a server -- this must be 6863 explicitly specified. When doing so, it should be noted that not all 6864 clients can be expected to consistently apply a larger scope, because 6865 they might not understand the new status code. 6867 The definition of a new status code ought to specify whether or not 6868 it is cacheable. Note that all status codes can be cached if the 6869 response they occur in has explicit freshness information; however, 6870 status codes that are defined as being cacheable are allowed to be 6871 cached without explicit freshness information. Likewise, the 6872 definition of a status code can place constraints upon cache 6873 behavior. See [Caching] for more information. 6875 Finally, the definition of a new status code ought to indicate 6876 whether the payload has any implied association with an identified 6877 resource (Section 7.3.2). 6879 11. Response Header Fields 6881 The response header fields allow the server to pass additional 6882 information about the response beyond the status code. These header 6883 fields give information about the server, about further access to the 6884 target resource, or about related resources. 6886 Although each response header field has a defined meaning, in 6887 general, the precise semantics might be further refined by the 6888 semantics of the request method and/or response status code. 6890 11.1. Control Data 6892 Response header fields can supply control data that supplements the 6893 status code, directs caching, or instructs the client where to go 6894 next. 6896 +---------------+--------------------------+ 6897 | Field Name | Defined in... | 6898 +---------------+--------------------------+ 6899 | Age | Section 5.1 of [Caching] | 6900 | Cache-Control | Section 5.2 of [Caching] | 6901 | Expires | Section 5.3 of [Caching] | 6902 | Date | Section 11.1.1 | 6903 | Location | Section 11.1.2 | 6904 | Retry-After | Section 11.1.3 | 6905 | Vary | Section 11.1.4 | 6906 | Warning | Section 5.5 of [Caching] | 6907 +---------------+--------------------------+ 6909 11.1.1. Date 6911 The "Date" header field represents the date and time at which the 6912 message was originated, having the same semantics as the Origination 6913 Date Field (orig-date) defined in Section 3.6.1 of [RFC5322]. The 6914 field value is an HTTP-date, as defined in Section 5.4.1.5. 6916 Date = HTTP-date 6918 An example is 6920 Date: Tue, 15 Nov 1994 08:12:31 GMT 6922 When a Date header field is generated, the sender SHOULD generate its 6923 field value as the best available approximation of the date and time 6924 of message generation. In theory, the date ought to represent the 6925 moment just before the payload is generated. In practice, the date 6926 can be generated at any time during message origination. 6928 An origin server MUST NOT send a Date header field if it does not 6929 have a clock capable of providing a reasonable approximation of the 6930 current instance in Coordinated Universal Time. An origin server MAY 6931 send a Date header field if the response is in the 1xx 6932 (Informational) or 5xx (Server Error) class of status codes. An 6933 origin server MUST send a Date header field in all other cases. 6935 A recipient with a clock that receives a response message without a 6936 Date header field MUST record the time it was received and append a 6937 corresponding Date header field to the message's header section if it 6938 is cached or forwarded downstream. 6940 A user agent MAY send a Date header field in a request, though 6941 generally will not do so unless it is believed to convey useful 6942 information to the server. For example, custom applications of HTTP 6943 might convey a Date if the server is expected to adjust its 6944 interpretation of the user's request based on differences between the 6945 user agent and server clocks. 6947 11.1.2. Location 6949 The "Location" header field is used in some responses to refer to a 6950 specific resource in relation to the response. The type of 6951 relationship is defined by the combination of request method and 6952 status code semantics. 6954 Location = URI-reference 6956 The field value consists of a single URI-reference. When it has the 6957 form of a relative reference ([RFC3986], Section 4.2), the final 6958 value is computed by resolving it against the target URI ([RFC3986], 6959 Section 5). 6961 For 201 (Created) responses, the Location value refers to the primary 6962 resource created by the request. For 3xx (Redirection) responses, 6963 the Location value refers to the preferred target resource for 6964 automatically redirecting the request. 6966 If the Location value provided in a 3xx (Redirection) response does 6967 not have a fragment component, a user agent MUST process the 6968 redirection as if the value inherits the fragment component of the 6969 URI reference used to generate the target URI (i.e., the redirection 6970 inherits the original reference's fragment, if any). 6972 For example, a GET request generated for the URI reference 6973 "http://www.example.org/~tim" might result in a 303 (See Other) 6974 response containing the header field: 6976 Location: /People.html#tim 6978 which suggests that the user agent redirect to 6979 "http://www.example.org/People.html#tim" 6981 Likewise, a GET request generated for the URI reference 6982 "http://www.example.org/index.html#larry" might result in a 301 6983 (Moved Permanently) response containing the header field: 6985 Location: http://www.example.net/index.html 6987 which suggests that the user agent redirect to 6988 "http://www.example.net/index.html#larry", preserving the original 6989 fragment identifier. 6991 There are circumstances in which a fragment identifier in a Location 6992 value would not be appropriate. For example, the Location header 6993 field in a 201 (Created) response is supposed to provide a URI that 6994 is specific to the created resource. 6996 Note: Some recipients attempt to recover from Location fields that 6997 are not valid URI references. This specification does not mandate 6998 or define such processing, but does allow it for the sake of 6999 robustness. 7001 Note: The Content-Location header field (Section 7.2.5) differs 7002 from Location in that the Content-Location refers to the most 7003 specific resource corresponding to the enclosed representation. 7004 It is therefore possible for a response to contain both the 7005 Location and Content-Location header fields. 7007 11.1.3. Retry-After 7009 Servers send the "Retry-After" header field to indicate how long the 7010 user agent ought to wait before making a follow-up request. When 7011 sent with a 503 (Service Unavailable) response, Retry-After indicates 7012 how long the service is expected to be unavailable to the client. 7013 When sent with any 3xx (Redirection) response, Retry-After indicates 7014 the minimum time that the user agent is asked to wait before issuing 7015 the redirected request. 7017 The value of this field can be either an HTTP-date or a number of 7018 seconds to delay after the response is received. 7020 Retry-After = HTTP-date / delay-seconds 7022 A delay-seconds value is a non-negative decimal integer, representing 7023 time in seconds. 7025 delay-seconds = 1*DIGIT 7027 Two examples of its use are 7029 Retry-After: Fri, 31 Dec 1999 23:59:59 GMT 7030 Retry-After: 120 7032 In the latter example, the delay is 2 minutes. 7034 11.1.4. Vary 7036 The "Vary" header field in a response describes what parts of a 7037 request message, aside from the method, Host header field, and target 7038 URI, might influence the origin server's process for selecting and 7039 representing this response. 7041 Vary = 1#( "*" / field-name ) 7043 A Vary field value is a list of request field names, known as the 7044 selecting header fields, that might have a role in selecting the 7045 representation for this response. Potential selecting header fields 7046 are not limited to those defined by this specification. 7048 If the list contains "*", it signals that other aspects of the 7049 request might play a role in selecting the response representation, 7050 possibly including elements outside the message syntax (e.g., the 7051 client's network address). A recipient will not be able to determine 7052 whether this response is appropriate for a later request without 7053 forwarding the request to the origin server. A proxy MUST NOT 7054 generate "*" in a Vary field value. 7056 For example, a response that contains 7058 Vary: accept-encoding, accept-language 7060 indicates that the origin server might have used the request's 7061 Accept-Encoding and Accept-Language fields (or lack thereof) as 7062 determining factors while choosing the content for this response. 7064 An origin server might send Vary with a list of fields for two 7065 purposes: 7067 1. To inform cache recipients that they MUST NOT use this response 7068 to satisfy a later request unless the later request has the same 7069 values for the listed fields as the original request (Section 4.1 7070 of [Caching]). In other words, Vary expands the cache key 7071 required to match a new request to the stored cache entry. 7073 2. To inform user agent recipients that this response is subject to 7074 content negotiation (Section 9.4) and that a different 7075 representation might be sent in a subsequent request if 7076 additional parameters are provided in the listed header fields 7077 (proactive negotiation). 7079 An origin server SHOULD send a Vary header field when its algorithm 7080 for selecting a representation varies based on aspects of the request 7081 message other than the method and target URI, unless the variance 7082 cannot be crossed or the origin server has been deliberately 7083 configured to prevent cache transparency. For example, there is no 7084 need to send the Authorization field name in Vary because reuse 7085 across users is constrained by the field definition (Section 9.5.3). 7086 Likewise, an origin server might use Cache-Control response 7087 directives (Section 5.2 of [Caching]) to supplant Vary if it 7088 considers the variance less significant than the performance cost of 7089 Vary's impact on caching. 7091 11.2. Validators 7093 Validator header fields convey metadata about the selected 7094 representation (Section 7). In responses to safe requests, validator 7095 fields describe the selected representation chosen by the origin 7096 server while handling the response. Note that, depending on the 7097 status code semantics, the selected representation for a given 7098 response is not necessarily the same as the representation enclosed 7099 as response payload. 7101 In a successful response to a state-changing request, validator 7102 fields describe the new representation that has replaced the prior 7103 selected representation as a result of processing the request. 7105 For example, an ETag field in a 201 (Created) response communicates 7106 the entity-tag of the newly created resource's representation, so 7107 that it can be used in later conditional requests to prevent the 7108 "lost update" problem Section 9.2. 7110 +---------------+----------------+ 7111 | Field Name | Defined in... | 7112 +---------------+----------------+ 7113 | ETag | Section 11.2.3 | 7114 | Last-Modified | Section 11.2.2 | 7115 +---------------+----------------+ 7117 This specification defines two forms of metadata that are commonly 7118 used to observe resource state and test for preconditions: 7119 modification dates (Section 11.2.2) and opaque entity tags 7120 (Section 11.2.3). Additional metadata that reflects resource state 7121 has been defined by various extensions of HTTP, such as Web 7122 Distributed Authoring and Versioning (WebDAV, [RFC4918]), that are 7123 beyond the scope of this specification. A resource metadata value is 7124 referred to as a "validator" when it is used within a precondition. 7126 11.2.1. Weak versus Strong 7128 Validators come in two flavors: strong or weak. Weak validators are 7129 easy to generate but are far less useful for comparisons. Strong 7130 validators are ideal for comparisons but can be very difficult (and 7131 occasionally impossible) to generate efficiently. Rather than impose 7132 that all forms of resource adhere to the same strength of validator, 7133 HTTP exposes the type of validator in use and imposes restrictions on 7134 when weak validators can be used as preconditions. 7136 A "strong validator" is representation metadata that changes value 7137 whenever a change occurs to the representation data that would be 7138 observable in the payload body of a 200 (OK) response to GET. 7140 A strong validator might change for reasons other than a change to 7141 the representation data, such as when a semantically significant part 7142 of the representation metadata is changed (e.g., Content-Type), but 7143 it is in the best interests of the origin server to only change the 7144 value when it is necessary to invalidate the stored responses held by 7145 remote caches and authoring tools. 7147 Cache entries might persist for arbitrarily long periods, regardless 7148 of expiration times. Thus, a cache might attempt to validate an 7149 entry using a validator that it obtained in the distant past. A 7150 strong validator is unique across all versions of all representations 7151 associated with a particular resource over time. However, there is 7152 no implication of uniqueness across representations of different 7153 resources (i.e., the same strong validator might be in use for 7154 representations of multiple resources at the same time and does not 7155 imply that those representations are equivalent). 7157 There are a variety of strong validators used in practice. The best 7158 are based on strict revision control, wherein each change to a 7159 representation always results in a unique node name and revision 7160 identifier being assigned before the representation is made 7161 accessible to GET. A collision-resistant hash function applied to 7162 the representation data is also sufficient if the data is available 7163 prior to the response header fields being sent and the digest does 7164 not need to be recalculated every time a validation request is 7165 received. However, if a resource has distinct representations that 7166 differ only in their metadata, such as might occur with content 7167 negotiation over media types that happen to share the same data 7168 format, then the origin server needs to incorporate additional 7169 information in the validator to distinguish those representations. 7171 In contrast, a "weak validator" is representation metadata that might 7172 not change for every change to the representation data. This 7173 weakness might be due to limitations in how the value is calculated, 7174 such as clock resolution, an inability to ensure uniqueness for all 7175 possible representations of the resource, or a desire of the resource 7176 owner to group representations by some self-determined set of 7177 equivalency rather than unique sequences of data. An origin server 7178 SHOULD change a weak entity-tag whenever it considers prior 7179 representations to be unacceptable as a substitute for the current 7180 representation. In other words, a weak entity-tag ought to change 7181 whenever the origin server wants caches to invalidate old responses. 7183 For example, the representation of a weather report that changes in 7184 content every second, based on dynamic measurements, might be grouped 7185 into sets of equivalent representations (from the origin server's 7186 perspective) with the same weak validator in order to allow cached 7187 representations to be valid for a reasonable period of time (perhaps 7188 adjusted dynamically based on server load or weather quality). 7189 Likewise, a representation's modification time, if defined with only 7190 one-second resolution, might be a weak validator if it is possible 7191 for the representation to be modified twice during a single second 7192 and retrieved between those modifications. 7194 Likewise, a validator is weak if it is shared by two or more 7195 representations of a given resource at the same time, unless those 7196 representations have identical representation data. For example, if 7197 the origin server sends the same validator for a representation with 7198 a gzip content coding applied as it does for a representation with no 7199 content coding, then that validator is weak. However, two 7200 simultaneous representations might share the same strong validator if 7201 they differ only in the representation metadata, such as when two 7202 different media types are available for the same representation data. 7204 Strong validators are usable for all conditional requests, including 7205 cache validation, partial content ranges, and "lost update" 7206 avoidance. Weak validators are only usable when the client does not 7207 require exact equality with previously obtained representation data, 7208 such as when validating a cache entry or limiting a web traversal to 7209 recent changes. 7211 11.2.2. Last-Modified 7213 The "Last-Modified" header field in a response provides a timestamp 7214 indicating the date and time at which the origin server believes the 7215 selected representation was last modified, as determined at the 7216 conclusion of handling the request. 7218 Last-Modified = HTTP-date 7220 An example of its use is 7221 Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT 7223 11.2.2.1. Generation 7225 An origin server SHOULD send Last-Modified for any selected 7226 representation for which a last modification date can be reasonably 7227 and consistently determined, since its use in conditional requests 7228 and evaluating cache freshness ([Caching]) results in a substantial 7229 reduction of HTTP traffic on the Internet and can be a significant 7230 factor in improving service scalability and reliability. 7232 A representation is typically the sum of many parts behind the 7233 resource interface. The last-modified time would usually be the most 7234 recent time that any of those parts were changed. How that value is 7235 determined for any given resource is an implementation detail beyond 7236 the scope of this specification. What matters to HTTP is how 7237 recipients of the Last-Modified header field can use its value to 7238 make conditional requests and test the validity of locally cached 7239 responses. 7241 An origin server SHOULD obtain the Last-Modified value of the 7242 representation as close as possible to the time that it generates the 7243 Date field value for its response. This allows a recipient to make 7244 an accurate assessment of the representation's modification time, 7245 especially if the representation changes near the time that the 7246 response is generated. 7248 An origin server with a clock MUST NOT send a Last-Modified date that 7249 is later than the server's time of message origination (Date). If 7250 the last modification time is derived from implementation-specific 7251 metadata that evaluates to some time in the future, according to the 7252 origin server's clock, then the origin server MUST replace that value 7253 with the message origination date. This prevents a future 7254 modification date from having an adverse impact on cache validation. 7256 An origin server without a clock MUST NOT assign Last-Modified values 7257 to a response unless these values were associated with the resource 7258 by some other system or user with a reliable clock. 7260 11.2.2.2. Comparison 7262 A Last-Modified time, when used as a validator in a request, is 7263 implicitly weak unless it is possible to deduce that it is strong, 7264 using the following rules: 7266 o The validator is being compared by an origin server to the actual 7267 current validator for the representation and, 7269 o That origin server reliably knows that the associated 7270 representation did not change twice during the second covered by 7271 the presented validator. 7273 or 7275 o The validator is about to be used by a client in an If-Modified- 7276 Since, If-Unmodified-Since, or If-Range header field, because the 7277 client has a cache entry for the associated representation, and 7279 o That cache entry includes a Date value, which gives the time when 7280 the origin server sent the original response, and 7282 o The presented Last-Modified time is at least 60 seconds before the 7283 Date value. 7285 or 7287 o The validator is being compared by an intermediate cache to the 7288 validator stored in its cache entry for the representation, and 7290 o That cache entry includes a Date value, which gives the time when 7291 the origin server sent the original response, and 7293 o The presented Last-Modified time is at least 60 seconds before the 7294 Date value. 7296 This method relies on the fact that if two different responses were 7297 sent by the origin server during the same second, but both had the 7298 same Last-Modified time, then at least one of those responses would 7299 have a Date value equal to its Last-Modified time. The arbitrary 7300 60-second limit guards against the possibility that the Date and 7301 Last-Modified values are generated from different clocks or at 7302 somewhat different times during the preparation of the response. An 7303 implementation MAY use a value larger than 60 seconds, if it is 7304 believed that 60 seconds is too short. 7306 11.2.3. ETag 7308 The "ETag" field in a response provides the current entity-tag for 7309 the selected representation, as determined at the conclusion of 7310 handling the request. An entity-tag is an opaque validator for 7311 differentiating between multiple representations of the same 7312 resource, regardless of whether those multiple representations are 7313 due to resource state changes over time, content negotiation 7314 resulting in multiple representations being valid at the same time, 7315 or both. An entity-tag consists of an opaque quoted string, possibly 7316 prefixed by a weakness indicator. 7318 ETag = entity-tag 7320 entity-tag = [ weak ] opaque-tag 7321 weak = %s"W/" 7322 opaque-tag = DQUOTE *etagc DQUOTE 7323 etagc = %x21 / %x23-7E / obs-text 7324 ; VCHAR except double quotes, plus obs-text 7326 Note: Previously, opaque-tag was defined to be a quoted-string 7327 ([RFC2616], Section 3.11); thus, some recipients might perform 7328 backslash unescaping. Servers therefore ought to avoid backslash 7329 characters in entity tags. 7331 An entity-tag can be more reliable for validation than a modification 7332 date in situations where it is inconvenient to store modification 7333 dates, where the one-second resolution of HTTP date values is not 7334 sufficient, or where modification dates are not consistently 7335 maintained. 7337 Examples: 7339 ETag: "xyzzy" 7340 ETag: W/"xyzzy" 7341 ETag: "" 7343 An entity-tag can be either a weak or strong validator, with strong 7344 being the default. If an origin server provides an entity-tag for a 7345 representation and the generation of that entity-tag does not satisfy 7346 all of the characteristics of a strong validator (Section 11.2.1), 7347 then the origin server MUST mark the entity-tag as weak by prefixing 7348 its opaque value with "W/" (case-sensitive). 7350 A sender MAY send the Etag field in a trailer section (see 7351 Section 5.6). However, since trailers are often ignored, it is 7352 preferable to send Etag as a header field unless the entity-tag is 7353 generated while sending the message body. 7355 11.2.3.1. Generation 7357 The principle behind entity-tags is that only the service author 7358 knows the implementation of a resource well enough to select the most 7359 accurate and efficient validation mechanism for that resource, and 7360 that any such mechanism can be mapped to a simple sequence of octets 7361 for easy comparison. Since the value is opaque, there is no need for 7362 the client to be aware of how each entity-tag is constructed. 7364 For example, a resource that has implementation-specific versioning 7365 applied to all changes might use an internal revision number, perhaps 7366 combined with a variance identifier for content negotiation, to 7367 accurately differentiate between representations. Other 7368 implementations might use a collision-resistant hash of 7369 representation content, a combination of various file attributes, or 7370 a modification timestamp that has sub-second resolution. 7372 An origin server SHOULD send an ETag for any selected representation 7373 for which detection of changes can be reasonably and consistently 7374 determined, since the entity-tag's use in conditional requests and 7375 evaluating cache freshness ([Caching]) can result in a substantial 7376 reduction of HTTP network traffic and can be a significant factor in 7377 improving service scalability and reliability. 7379 11.2.3.2. Comparison 7381 There are two entity-tag comparison functions, depending on whether 7382 or not the comparison context allows the use of weak validators: 7384 o Strong comparison: two entity-tags are equivalent if both are not 7385 weak and their opaque-tags match character-by-character. 7387 o Weak comparison: two entity-tags are equivalent if their opaque- 7388 tags match character-by-character, regardless of either or both 7389 being tagged as "weak". 7391 The example below shows the results for a set of entity-tag pairs and 7392 both the weak and strong comparison function results: 7394 +--------+--------+-------------------+-----------------+ 7395 | ETag 1 | ETag 2 | Strong Comparison | Weak Comparison | 7396 +--------+--------+-------------------+-----------------+ 7397 | W/"1" | W/"1" | no match | match | 7398 | W/"1" | W/"2" | no match | no match | 7399 | W/"1" | "1" | no match | match | 7400 | "1" | "1" | match | match | 7401 +--------+--------+-------------------+-----------------+ 7403 11.2.3.3. Example: Entity-Tags Varying on Content-Negotiated Resources 7405 Consider a resource that is subject to content negotiation 7406 (Section 7.4), and where the representations sent in response to a 7407 GET request vary based on the Accept-Encoding request header field 7408 (Section 9.4.3): 7410 >> Request: 7412 GET /index HTTP/1.1 7413 Host: www.example.com 7414 Accept-Encoding: gzip 7416 In this case, the response might or might not use the gzip content 7417 coding. If it does not, the response might look like: 7419 >> Response: 7421 HTTP/1.1 200 OK 7422 Date: Fri, 26 Mar 2010 00:05:00 GMT 7423 ETag: "123-a" 7424 Content-Length: 70 7425 Vary: Accept-Encoding 7426 Content-Type: text/plain 7428 Hello World! 7429 Hello World! 7430 Hello World! 7431 Hello World! 7432 Hello World! 7434 An alternative representation that does use gzip content coding would 7435 be: 7437 >> Response: 7439 HTTP/1.1 200 OK 7440 Date: Fri, 26 Mar 2010 00:05:00 GMT 7441 ETag: "123-b" 7442 Content-Length: 43 7443 Vary: Accept-Encoding 7444 Content-Type: text/plain 7445 Content-Encoding: gzip 7447 ...binary data... 7449 Note: Content codings are a property of the representation data, 7450 so a strong entity-tag for a content-encoded representation has to 7451 be distinct from the entity tag of an unencoded representation to 7452 prevent potential conflicts during cache updates and range 7453 requests. In contrast, transfer codings (Section 7 of 7454 [Messaging]) apply only during message transfer and do not result 7455 in distinct entity-tags. 7457 11.2.4. When to Use Entity-Tags and Last-Modified Dates 7459 In 200 (OK) responses to GET or HEAD, an origin server: 7461 o SHOULD send an entity-tag validator unless it is not feasible to 7462 generate one. 7464 o MAY send a weak entity-tag instead of a strong entity-tag, if 7465 performance considerations support the use of weak entity-tags, or 7466 if it is unfeasible to send a strong entity-tag. 7468 o SHOULD send a Last-Modified value if it is feasible to send one. 7470 In other words, the preferred behavior for an origin server is to 7471 send both a strong entity-tag and a Last-Modified value in successful 7472 responses to a retrieval request. 7474 A client: 7476 o MUST send that entity-tag in any cache validation request (using 7477 If-Match or If-None-Match) if an entity-tag has been provided by 7478 the origin server. 7480 o SHOULD send the Last-Modified value in non-subrange cache 7481 validation requests (using If-Modified-Since) if only a Last- 7482 Modified value has been provided by the origin server. 7484 o MAY send the Last-Modified value in subrange cache validation 7485 requests (using If-Unmodified-Since) if only a Last-Modified value 7486 has been provided by an HTTP/1.0 origin server. The user agent 7487 SHOULD provide a way to disable this, in case of difficulty. 7489 o SHOULD send both validators in cache validation requests if both 7490 an entity-tag and a Last-Modified value have been provided by the 7491 origin server. This allows both HTTP/1.0 and HTTP/1.1 caches to 7492 respond appropriately. 7494 11.3. Authentication Challenges 7496 Authentication challenges indicate what mechanisms are available for 7497 the client to provide authentication credentials in future requests. 7499 +--------------------+----------------+ 7500 | Field Name | Defined in... | 7501 +--------------------+----------------+ 7502 | WWW-Authenticate | Section 11.3.1 | 7503 | Proxy-Authenticate | Section 11.3.2 | 7504 +--------------------+----------------+ 7505 Furthermore, the "Authentication-Info" and "Proxy-Authentication- 7506 Info" response header fields are defined for use in authentication 7507 schemes that need to return information once the client's 7508 authentication credentials have been accepted. 7510 +---------------------------+----------------+ 7511 | Field Name | Defined in... | 7512 +---------------------------+----------------+ 7513 | Authentication-Info | Section 11.3.3 | 7514 | Proxy-Authentication-Info | Section 11.3.4 | 7515 +---------------------------+----------------+ 7517 11.3.1. WWW-Authenticate 7519 The "WWW-Authenticate" header field indicates the authentication 7520 scheme(s) and parameters applicable to the target resource. 7522 WWW-Authenticate = 1#challenge 7524 A server generating a 401 (Unauthorized) response MUST send a WWW- 7525 Authenticate header field containing at least one challenge. A 7526 server MAY generate a WWW-Authenticate header field in other response 7527 messages to indicate that supplying credentials (or different 7528 credentials) might affect the response. 7530 A proxy forwarding a response MUST NOT modify any WWW-Authenticate 7531 fields in that response. 7533 User agents are advised to take special care in parsing the field 7534 value, as it might contain more than one challenge, and each 7535 challenge can contain a comma-separated list of authentication 7536 parameters. Furthermore, the header field itself can occur multiple 7537 times. 7539 For instance: 7541 WWW-Authenticate: Newauth realm="apps", type=1, 7542 title="Login to \"apps\"", Basic realm="simple" 7544 This header field contains two challenges; one for the "Newauth" 7545 scheme with a realm value of "apps", and two additional parameters 7546 "type" and "title", and another one for the "Basic" scheme with a 7547 realm value of "simple". 7549 Note: The challenge grammar production uses the list syntax as 7550 well. Therefore, a sequence of comma, whitespace, and comma can 7551 be considered either as applying to the preceding challenge, or to 7552 be an empty entry in the list of challenges. In practice, this 7553 ambiguity does not affect the semantics of the header field value 7554 and thus is harmless. 7556 11.3.2. Proxy-Authenticate 7558 The "Proxy-Authenticate" header field consists of at least one 7559 challenge that indicates the authentication scheme(s) and parameters 7560 applicable to the proxy for this request. A proxy MUST send at least 7561 one Proxy-Authenticate header field in each 407 (Proxy Authentication 7562 Required) response that it generates. 7564 Proxy-Authenticate = 1#challenge 7566 Unlike WWW-Authenticate, the Proxy-Authenticate header field applies 7567 only to the next outbound client on the response chain. This is 7568 because only the client that chose a given proxy is likely to have 7569 the credentials necessary for authentication. However, when multiple 7570 proxies are used within the same administrative domain, such as 7571 office and regional caching proxies within a large corporate network, 7572 it is common for credentials to be generated by the user agent and 7573 passed through the hierarchy until consumed. Hence, in such a 7574 configuration, it will appear as if Proxy-Authenticate is being 7575 forwarded because each proxy will send the same challenge set. 7577 Note that the parsing considerations for WWW-Authenticate apply to 7578 this header field as well; see Section 11.3.1 for details. 7580 11.3.3. Authentication-Info 7582 HTTP authentication schemes can use the Authentication-Info response 7583 header field to communicate information after the client's 7584 authentication credentials have been accepted. This information can 7585 include a finalization message from the server (e.g., it can contain 7586 the server authentication). 7588 The field value is a list of parameters (name/value pairs), using the 7589 "auth-param" syntax defined in Section 9.5.1. This specification 7590 only describes the generic format; authentication schemes using 7591 Authentication-Info will define the individual parameters. The 7592 "Digest" Authentication Scheme, for instance, defines multiple 7593 parameters in Section 3.5 of [RFC7616]. 7595 Authentication-Info = #auth-param 7597 The Authentication-Info header field can be used in any HTTP 7598 response, independently of request method and status code. Its 7599 semantics are defined by the authentication scheme indicated by the 7600 Authorization header field (Section 9.5.3) of the corresponding 7601 request. 7603 A proxy forwarding a response is not allowed to modify the field 7604 value in any way. 7606 Authentication-Info can be used inside trailers (Section 5.6) when 7607 the authentication scheme explicitly allows this. 7609 11.3.3.1. Parameter Value Format 7611 Parameter values can be expressed either as "token" or as "quoted- 7612 string" (Section 5.4.1). 7614 Authentication scheme definitions need to allow both notations, both 7615 for senders and recipients. This allows recipients to use generic 7616 parsing components, independent of the authentication scheme in use. 7618 For backwards compatibility, authentication scheme definitions can 7619 restrict the format for senders to one of the two variants. This can 7620 be important when it is known that deployed implementations will fail 7621 when encountering one of the two formats. 7623 11.3.4. Proxy-Authentication-Info 7625 The Proxy-Authentication-Info response header field is equivalent to 7626 Authentication-Info, except that it applies to proxy authentication 7627 (Section 9.5.1) and its semantics are defined by the authentication 7628 scheme indicated by the Proxy-Authorization header field 7629 (Section 9.5.4) of the corresponding request: 7631 Proxy-Authentication-Info = #auth-param 7633 However, unlike Authentication-Info, the Proxy-Authentication-Info 7634 header field applies only to the next outbound client on the response 7635 chain. This is because only the client that chose a given proxy is 7636 likely to have the credentials necessary for authentication. 7637 However, when multiple proxies are used within the same 7638 administrative domain, such as office and regional caching proxies 7639 within a large corporate network, it is common for credentials to be 7640 generated by the user agent and passed through the hierarchy until 7641 consumed. Hence, in such a configuration, it will appear as if 7642 Proxy-Authentication-Info is being forwarded because each proxy will 7643 send the same field value. 7645 11.4. Response Context 7647 The remaining response header fields provide more information about 7648 the target resource for potential use in later requests. 7650 +---------------+----------------+ 7651 | Field Name | Defined in... | 7652 +---------------+----------------+ 7653 | Accept-Ranges | Section 11.4.1 | 7654 | Allow | Section 11.4.2 | 7655 | Server | Section 11.4.3 | 7656 +---------------+----------------+ 7658 11.4.1. Accept-Ranges 7660 The "Accept-Ranges" header field allows a server to indicate that it 7661 supports range requests for the target resource. 7663 Accept-Ranges = acceptable-ranges 7664 acceptable-ranges = 1#range-unit / "none" 7666 An origin server that supports byte-range requests for a given target 7667 resource MAY send 7669 Accept-Ranges: bytes 7671 to indicate what range units are supported. A client MAY generate 7672 range requests without having received this header field for the 7673 resource involved. Range units are defined in Section 7.1.4. 7675 A server that does not support any kind of range request for the 7676 target resource MAY send 7678 Accept-Ranges: none 7680 to advise the client not to attempt a range request. 7682 11.4.2. Allow 7684 The "Allow" header field lists the set of methods advertised as 7685 supported by the target resource. The purpose of this field is 7686 strictly to inform the recipient of valid request methods associated 7687 with the resource. 7689 Allow = #method 7691 Example of use: 7693 Allow: GET, HEAD, PUT 7695 The actual set of allowed methods is defined by the origin server at 7696 the time of each request. An origin server MUST generate an Allow 7697 field in a 405 (Method Not Allowed) response and MAY do so in any 7698 other response. An empty Allow field value indicates that the 7699 resource allows no methods, which might occur in a 405 response if 7700 the resource has been temporarily disabled by configuration. 7702 A proxy MUST NOT modify the Allow header field -- it does not need to 7703 understand all of the indicated methods in order to handle them 7704 according to the generic message handling rules. 7706 11.4.3. Server 7708 The "Server" header field contains information about the software 7709 used by the origin server to handle the request, which is often used 7710 by clients to help identify the scope of reported interoperability 7711 problems, to work around or tailor requests to avoid particular 7712 server limitations, and for analytics regarding server or operating 7713 system use. An origin server MAY generate a Server field in its 7714 responses. 7716 Server = product *( RWS ( product / comment ) ) 7718 The Server field value consists of one or more product identifiers, 7719 each followed by zero or more comments (Section 5.4.1.3), which 7720 together identify the origin server software and its significant 7721 subproducts. By convention, the product identifiers are listed in 7722 decreasing order of their significance for identifying the origin 7723 server software. Each product identifier consists of a name and 7724 optional version, as defined in Section 9.6.3. 7726 Example: 7728 Server: CERN/3.0 libwww/2.17 7730 An origin server SHOULD NOT generate a Server field containing 7731 needlessly fine-grained detail and SHOULD limit the addition of 7732 subproducts by third parties. Overly long and detailed Server field 7733 values increase response latency and potentially reveal internal 7734 implementation details that might make it (slightly) easier for 7735 attackers to find and exploit known security holes. 7737 12. Security Considerations 7739 This section is meant to inform developers, information providers, 7740 and users of known security concerns relevant to HTTP semantics and 7741 its use for transferring information over the Internet. 7742 Considerations related to message syntax, parsing, and routing are 7743 discussed in Section 11 of [Messaging]. 7745 The list of considerations below is not exhaustive. Most security 7746 concerns related to HTTP semantics are about securing server-side 7747 applications (code behind the HTTP interface), securing user agent 7748 processing of payloads received via HTTP, or secure use of the 7749 Internet in general, rather than security of the protocol. Various 7750 organizations maintain topical information and links to current 7751 research on Web application security (e.g., [OWASP]). 7753 12.1. Establishing Authority 7755 HTTP relies on the notion of an authoritative response: a response 7756 that has been determined by (or at the direction of) the origin 7757 server identified within the target URI to be the most appropriate 7758 response for that request given the state of the target resource at 7759 the time of response message origination. 7761 When a registered name is used in the authority component, the "http" 7762 URI scheme (Section 2.5.1) relies on the user's local name resolution 7763 service to determine where it can find authoritative responses. This 7764 means that any attack on a user's network host table, cached names, 7765 or name resolution libraries becomes an avenue for attack on 7766 establishing authority for "http" URIs. Likewise, the user's choice 7767 of server for Domain Name Service (DNS), and the hierarchy of servers 7768 from which it obtains resolution results, could impact the 7769 authenticity of address mappings; DNS Security Extensions (DNSSEC, 7770 [RFC4033]) are one way to improve authenticity. 7772 Furthermore, after an IP address is obtained, establishing authority 7773 for an "http" URI is vulnerable to attacks on Internet Protocol 7774 routing. 7776 The "https" scheme (Section 2.5.2) is intended to prevent (or at 7777 least reveal) many of these potential attacks on establishing 7778 authority, provided that the negotiated TLS connection is secured and 7779 the client properly verifies that the communicating server's identity 7780 matches the target URI's authority component (Section 6.4.3.1). 7781 Correctly implementing such verification can be difficult (see 7782 [Georgiev]). 7784 Authority for a given origin server can be delegated through protocol 7785 extensions; for example, [RFC7838]. Likewise, the set of servers 7786 that a connection is considered authoritative for can be changed with 7787 a protocol extension like [RFC8336]. 7789 Providing a response from a non-authoritative source, such as a 7790 shared proxy cache, is often useful to improve performance and 7791 availability, but only to the extent that the source can be trusted 7792 or the distrusted response can be safely used. 7794 Unfortunately, communicating authority to users can be difficult. 7795 For example, phishing is an attack on the user's perception of 7796 authority, where that perception can be misled by presenting similar 7797 branding in hypertext, possibly aided by userinfo obfuscating the 7798 authority component (see Section 2.5.1). User agents can reduce the 7799 impact of phishing attacks by enabling users to easily inspect a 7800 target URI prior to making an action, by prominently distinguishing 7801 (or rejecting) userinfo when present, and by not sending stored 7802 credentials and cookies when the referring document is from an 7803 unknown or untrusted source. 7805 12.2. Risks of Intermediaries 7807 By their very nature, HTTP intermediaries are men-in-the-middle and, 7808 thus, represent an opportunity for man-in-the-middle attacks. 7809 Compromise of the systems on which the intermediaries run can result 7810 in serious security and privacy problems. Intermediaries might have 7811 access to security-related information, personal information about 7812 individual users and organizations, and proprietary information 7813 belonging to users and content providers. A compromised 7814 intermediary, or an intermediary implemented or configured without 7815 regard to security and privacy considerations, might be used in the 7816 commission of a wide range of potential attacks. 7818 Intermediaries that contain a shared cache are especially vulnerable 7819 to cache poisoning attacks, as described in Section 7 of [Caching]. 7821 Implementers need to consider the privacy and security implications 7822 of their design and coding decisions, and of the configuration 7823 options they provide to operators (especially the default 7824 configuration). 7826 Users need to be aware that intermediaries are no more trustworthy 7827 than the people who run them; HTTP itself cannot solve this problem. 7829 12.3. Attacks Based on File and Path Names 7831 Origin servers frequently make use of their local file system to 7832 manage the mapping from target URI to resource representations. Most 7833 file systems are not designed to protect against malicious file or 7834 path names. Therefore, an origin server needs to avoid accessing 7835 names that have a special significance to the system when mapping the 7836 target resource to files, folders, or directories. 7838 For example, UNIX, Microsoft Windows, and other operating systems use 7839 ".." as a path component to indicate a directory level above the 7840 current one, and they use specially named paths or file names to send 7841 data to system devices. Similar naming conventions might exist 7842 within other types of storage systems. Likewise, local storage 7843 systems have an annoying tendency to prefer user-friendliness over 7844 security when handling invalid or unexpected characters, 7845 recomposition of decomposed characters, and case-normalization of 7846 case-insensitive names. 7848 Attacks based on such special names tend to focus on either denial- 7849 of-service (e.g., telling the server to read from a COM port) or 7850 disclosure of configuration and source files that are not meant to be 7851 served. 7853 12.4. Attacks Based on Command, Code, or Query Injection 7855 Origin servers often use parameters within the URI as a means of 7856 identifying system services, selecting database entries, or choosing 7857 a data source. However, data received in a request cannot be 7858 trusted. An attacker could construct any of the request data 7859 elements (method, target URI, header fields, or body) to contain data 7860 that might be misinterpreted as a command, code, or query when passed 7861 through a command invocation, language interpreter, or database 7862 interface. 7864 For example, SQL injection is a common attack wherein additional 7865 query language is inserted within some part of the target URI or 7866 header fields (e.g., Host, Referer, etc.). If the received data is 7867 used directly within a SELECT statement, the query language might be 7868 interpreted as a database command instead of a simple string value. 7869 This type of implementation vulnerability is extremely common, in 7870 spite of being easy to prevent. 7872 In general, resource implementations ought to avoid use of request 7873 data in contexts that are processed or interpreted as instructions. 7874 Parameters ought to be compared to fixed strings and acted upon as a 7875 result of that comparison, rather than passed through an interface 7876 that is not prepared for untrusted data. Received data that isn't 7877 based on fixed parameters ought to be carefully filtered or encoded 7878 to avoid being misinterpreted. 7880 Similar considerations apply to request data when it is stored and 7881 later processed, such as within log files, monitoring tools, or when 7882 included within a data format that allows embedded scripts. 7884 12.5. Attacks via Protocol Element Length 7886 Because HTTP uses mostly textual, character-delimited fields, parsers 7887 are often vulnerable to attacks based on sending very long (or very 7888 slow) streams of data, particularly where an implementation is 7889 expecting a protocol element with no predefined length (Section 3.3). 7891 To promote interoperability, specific recommendations are made for 7892 minimum size limits on request-line (Section 3 of [Messaging]) and 7893 fields (Section 5). These are minimum recommendations, chosen to be 7894 supportable even by implementations with limited resources; it is 7895 expected that most implementations will choose substantially higher 7896 limits. 7898 A server can reject a message that has a target URI that is too long 7899 (Section 10.5.15) or a request payload that is too large 7900 (Section 10.5.14). Additional status codes related to capacity 7901 limits have been defined by extensions to HTTP [RFC6585]. 7903 Recipients ought to carefully limit the extent to which they process 7904 other protocol elements, including (but not limited to) request 7905 methods, response status phrases, field names, numeric values, and 7906 body chunks. Failure to limit such processing can result in buffer 7907 overflows, arithmetic overflows, or increased vulnerability to 7908 denial-of-service attacks. 7910 12.6. Disclosure of Personal Information 7912 Clients are often privy to large amounts of personal information, 7913 including both information provided by the user to interact with 7914 resources (e.g., the user's name, location, mail address, passwords, 7915 encryption keys, etc.) and information about the user's browsing 7916 activity over time (e.g., history, bookmarks, etc.). Implementations 7917 need to prevent unintentional disclosure of personal information. 7919 12.7. Privacy of Server Log Information 7921 A server is in the position to save personal data about a user's 7922 requests over time, which might identify their reading patterns or 7923 subjects of interest. In particular, log information gathered at an 7924 intermediary often contains a history of user agent interaction, 7925 across a multitude of sites, that can be traced to individual users. 7927 HTTP log information is confidential in nature; its handling is often 7928 constrained by laws and regulations. Log information needs to be 7929 securely stored and appropriate guidelines followed for its analysis. 7930 Anonymization of personal information within individual entries 7931 helps, but it is generally not sufficient to prevent real log traces 7932 from being re-identified based on correlation with other access 7933 characteristics. As such, access traces that are keyed to a specific 7934 client are unsafe to publish even if the key is pseudonymous. 7936 To minimize the risk of theft or accidental publication, log 7937 information ought to be purged of personally identifiable 7938 information, including user identifiers, IP addresses, and user- 7939 provided query parameters, as soon as that information is no longer 7940 necessary to support operational needs for security, auditing, or 7941 fraud control. 7943 12.8. Disclosure of Sensitive Information in URIs 7945 URIs are intended to be shared, not secured, even when they identify 7946 secure resources. URIs are often shown on displays, added to 7947 templates when a page is printed, and stored in a variety of 7948 unprotected bookmark lists. It is therefore unwise to include 7949 information within a URI that is sensitive, personally identifiable, 7950 or a risk to disclose. 7952 Authors of services ought to avoid GET-based forms for the submission 7953 of sensitive data because that data will be placed in the target URI. 7954 Many existing servers, proxies, and user agents log or display the 7955 target URI in places where it might be visible to third parties. 7956 Such services ought to use POST-based form submission instead. 7958 Since the Referer header field tells a target site about the context 7959 that resulted in a request, it has the potential to reveal 7960 information about the user's immediate browsing history and any 7961 personal information that might be found in the referring resource's 7962 URI. Limitations on the Referer header field are described in 7963 Section 9.6.2 to address some of its security considerations. 7965 12.9. Disclosure of Fragment after Redirects 7967 Although fragment identifiers used within URI references are not sent 7968 in requests, implementers ought to be aware that they will be visible 7969 to the user agent and any extensions or scripts running as a result 7970 of the response. In particular, when a redirect occurs and the 7971 original request's fragment identifier is inherited by the new 7972 reference in Location (Section 11.1.2), this might have the effect of 7973 disclosing one site's fragment to another site. If the first site 7974 uses personal information in fragments, it ought to ensure that 7975 redirects to other sites include a (possibly empty) fragment 7976 component in order to block that inheritance. 7978 12.10. Disclosure of Product Information 7980 The User-Agent (Section 9.6.3), Via (Section 6.7.1), and Server 7981 (Section 11.4.3) header fields often reveal information about the 7982 respective sender's software systems. In theory, this can make it 7983 easier for an attacker to exploit known security holes; in practice, 7984 attackers tend to try all potential holes regardless of the apparent 7985 software versions being used. 7987 Proxies that serve as a portal through a network firewall ought to 7988 take special precautions regarding the transfer of header information 7989 that might identify hosts behind the firewall. The Via header field 7990 allows intermediaries to replace sensitive machine names with 7991 pseudonyms. 7993 12.11. Browser Fingerprinting 7995 Browser fingerprinting is a set of techniques for identifying a 7996 specific user agent over time through its unique set of 7997 characteristics. These characteristics might include information 7998 related to its TCP behavior, feature capabilities, and scripting 7999 environment, though of particular interest here is the set of unique 8000 characteristics that might be communicated via HTTP. Fingerprinting 8001 is considered a privacy concern because it enables tracking of a user 8002 agent's behavior over time ([Bujlow]) without the corresponding 8003 controls that the user might have over other forms of data collection 8004 (e.g., cookies). Many general-purpose user agents (i.e., Web 8005 browsers) have taken steps to reduce their fingerprints. 8007 There are a number of request header fields that might reveal 8008 information to servers that is sufficiently unique to enable 8009 fingerprinting. The From header field is the most obvious, though it 8010 is expected that From will only be sent when self-identification is 8011 desired by the user. Likewise, Cookie header fields are deliberately 8012 designed to enable re-identification, so fingerprinting concerns only 8013 apply to situations where cookies are disabled or restricted by the 8014 user agent's configuration. 8016 The User-Agent header field might contain enough information to 8017 uniquely identify a specific device, usually when combined with other 8018 characteristics, particularly if the user agent sends excessive 8019 details about the user's system or extensions. However, the source 8020 of unique information that is least expected by users is proactive 8021 negotiation (Section 9.4), including the Accept, Accept-Charset, 8022 Accept-Encoding, and Accept-Language header fields. 8024 In addition to the fingerprinting concern, detailed use of the 8025 Accept-Language header field can reveal information the user might 8026 consider to be of a private nature. For example, understanding a 8027 given language set might be strongly correlated to membership in a 8028 particular ethnic group. An approach that limits such loss of 8029 privacy would be for a user agent to omit the sending of Accept- 8030 Language except for sites that have been whitelisted, perhaps via 8031 interaction after detecting a Vary header field that indicates 8032 language negotiation might be useful. 8034 In environments where proxies are used to enhance privacy, user 8035 agents ought to be conservative in sending proactive negotiation 8036 header fields. General-purpose user agents that provide a high 8037 degree of header field configurability ought to inform users about 8038 the loss of privacy that might result if too much detail is provided. 8039 As an extreme privacy measure, proxies could filter the proactive 8040 negotiation header fields in relayed requests. 8042 12.12. Validator Retention 8044 The validators defined by this specification are not intended to 8045 ensure the validity of a representation, guard against malicious 8046 changes, or detect man-in-the-middle attacks. At best, they enable 8047 more efficient cache updates and optimistic concurrent writes when 8048 all participants are behaving nicely. At worst, the conditions will 8049 fail and the client will receive a response that is no more harmful 8050 than an HTTP exchange without conditional requests. 8052 An entity-tag can be abused in ways that create privacy risks. For 8053 example, a site might deliberately construct a semantically invalid 8054 entity-tag that is unique to the user or user agent, send it in a 8055 cacheable response with a long freshness time, and then read that 8056 entity-tag in later conditional requests as a means of re-identifying 8057 that user or user agent. Such an identifying tag would become a 8058 persistent identifier for as long as the user agent retained the 8059 original cache entry. User agents that cache representations ought 8060 to ensure that the cache is cleared or replaced whenever the user 8061 performs privacy-maintaining actions, such as clearing stored cookies 8062 or changing to a private browsing mode. 8064 12.13. Denial-of-Service Attacks Using Range 8066 Unconstrained multiple range requests are susceptible to denial-of- 8067 service attacks because the effort required to request many 8068 overlapping ranges of the same data is tiny compared to the time, 8069 memory, and bandwidth consumed by attempting to serve the requested 8070 data in many parts. Servers ought to ignore, coalesce, or reject 8071 egregious range requests, such as requests for more than two 8072 overlapping ranges or for many small ranges in a single set, 8073 particularly when the ranges are requested out of order for no 8074 apparent reason. Multipart range requests are not designed to 8075 support random access. 8077 12.14. Authentication Considerations 8079 Everything about the topic of HTTP authentication is a security 8080 consideration, so the list of considerations below is not exhaustive. 8081 Furthermore, it is limited to security considerations regarding the 8082 authentication framework, in general, rather than discussing all of 8083 the potential considerations for specific authentication schemes 8084 (which ought to be documented in the specifications that define those 8085 schemes). Various organizations maintain topical information and 8086 links to current research on Web application security (e.g., 8087 [OWASP]), including common pitfalls for implementing and using the 8088 authentication schemes found in practice. 8090 12.14.1. Confidentiality of Credentials 8092 The HTTP authentication framework does not define a single mechanism 8093 for maintaining the confidentiality of credentials; instead, each 8094 authentication scheme defines how the credentials are encoded prior 8095 to transmission. While this provides flexibility for the development 8096 of future authentication schemes, it is inadequate for the protection 8097 of existing schemes that provide no confidentiality on their own, or 8098 that do not sufficiently protect against replay attacks. 8099 Furthermore, if the server expects credentials that are specific to 8100 each individual user, the exchange of those credentials will have the 8101 effect of identifying that user even if the content within 8102 credentials remains confidential. 8104 HTTP depends on the security properties of the underlying transport- 8105 or session-level connection to provide confidential transmission of 8106 fields. In other words, if a server limits access to authenticated 8107 users using this framework, the server needs to ensure that the 8108 connection is properly secured in accordance with the nature of the 8109 authentication scheme used. For example, services that depend on 8110 individual user authentication often require a connection to be 8111 secured with TLS ("Transport Layer Security", [RFC8446]) prior to 8112 exchanging any credentials. 8114 12.14.2. Credentials and Idle Clients 8116 Existing HTTP clients and user agents typically retain authentication 8117 information indefinitely. HTTP does not provide a mechanism for the 8118 origin server to direct clients to discard these cached credentials, 8119 since the protocol has no awareness of how credentials are obtained 8120 or managed by the user agent. The mechanisms for expiring or 8121 revoking credentials can be specified as part of an authentication 8122 scheme definition. 8124 Circumstances under which credential caching can interfere with the 8125 application's security model include but are not limited to: 8127 o Clients that have been idle for an extended period, following 8128 which the server might wish to cause the client to re-prompt the 8129 user for credentials. 8131 o Applications that include a session termination indication (such 8132 as a "logout" or "commit" button on a page) after which the server 8133 side of the application "knows" that there is no further reason 8134 for the client to retain the credentials. 8136 User agents that cache credentials are encouraged to provide a 8137 readily accessible mechanism for discarding cached credentials under 8138 user control. 8140 12.14.3. Protection Spaces 8142 Authentication schemes that solely rely on the "realm" mechanism for 8143 establishing a protection space will expose credentials to all 8144 resources on an origin server. Clients that have successfully made 8145 authenticated requests with a resource can use the same 8146 authentication credentials for other resources on the same origin 8147 server. This makes it possible for a different resource to harvest 8148 authentication credentials for other resources. 8150 This is of particular concern when an origin server hosts resources 8151 for multiple parties under the same canonical root URI 8152 (Section 9.5.2). Possible mitigation strategies include restricting 8153 direct access to authentication credentials (i.e., not making the 8154 content of the Authorization request header field available), and 8155 separating protection spaces by using a different host name (or port 8156 number) for each party. 8158 12.14.4. Additional Response Fields 8160 Adding information to responses that are sent over an unencrypted 8161 channel can affect security and privacy. The presence of the 8162 Authentication-Info and Proxy-Authentication-Info header fields alone 8163 indicates that HTTP authentication is in use. Additional information 8164 could be exposed by the contents of the authentication-scheme 8165 specific parameters; this will have to be considered in the 8166 definitions of these schemes. 8168 13. IANA Considerations 8170 The change controller for the following registrations is: "IETF 8171 (iesg@ietf.org) - Internet Engineering Task Force". 8173 13.1. URI Scheme Registration 8175 Please update the registry of URI Schemes [BCP35] at 8176 with the permanent 8177 schemes listed in the first table of Section 2.5. 8179 13.2. Method Registration 8181 Please update the "Hypertext Transfer Protocol (HTTP) Method 8182 Registry" at with the 8183 registration procedure of Section 8.4.1 and the method names 8184 summarized in the table of Section 8.2. 8186 Furthermore, the method name "*" is reserved, since using that name 8187 as HTTP method name might conflict with special semantics in fields 8188 such as "Access-Control-Request-Method". Thus, please add the entry 8189 below to the registry: 8191 Method Name: * 8193 Safe: no 8195 Idempotent: no 8197 Reference: Section 13.2 8199 13.3. Status Code Registration 8201 Please update the "Hypertext Transfer Protocol (HTTP) Status Code 8202 Registry" at 8203 with the registration procedure of Section 10.7.1 and the status code 8204 values summarized in the table of Section 10.1. 8206 Additionally, please update the following entry in the Hypertext 8207 Transfer Protocol (HTTP) Status Code Registry: 8209 Value: 418 8211 Description: (Unused) 8213 Reference Section 10.5.19 8215 13.4. HTTP Field Name Registration 8217 Please create a new registry as outlined in Section 5.3.2. 8219 After creating the registry, all entries in the Permanent and 8220 Provisional Message Header Registries with the protocol 'http' are to 8221 be moved to it, with the following changes applied: 8223 1. The 'Applicable Protocol' field is to be omitted. 8225 2. Entries with a status of 'standard', 'experimental', 'reserved', 8226 or 'informational' are to have a status of 'permanent'. 8228 3. Provisional entries without a status are to have a status of 8229 'provisional'. 8231 4. Permanent entries without a status (after confirmation that the 8232 registration document did not define one) will have a status of 8233 'provisional'. The Expert(s) can choose to update their status 8234 if there is evidence that another is more appropriate. 8236 Please annotate the Permanent and Provisional Message Header 8237 registries to indicate that HTTP field name registrations have moved, 8238 with an appropriate link. 8240 After that is complete, please update the new registry with the field 8241 names listed in the table of Section 5.8. 8243 Finally, please update the "Content-MD5" entry in the new registry to 8244 have a status of 'obsoleted' with references to Section 14.15 of 8245 [RFC2616] (for the definition of the header field) and Appendix B of 8246 [RFC7231] (which removed the field definition from the updated 8247 specification). 8249 13.5. Authentication Scheme Registration 8251 Please update the "Hypertext Transfer Protocol (HTTP) Authentication 8252 Scheme Registry" at with the registration procedure of Section 9.5.5.1. No 8254 authentication schemes are defined in this document. 8256 13.6. Content Coding Registration 8258 Please update the "HTTP Content Coding Registry" at 8259 with the 8260 registration procedure of Section 7.1.2.4 and the content coding 8261 names summarized in the table of Section 7.1.2. 8263 13.7. Range Unit Registration 8265 Please update the "HTTP Range Unit Registry" at 8266 with the 8267 registration procedure of Section 7.1.4.4 and the range unit names 8268 summarized in the table of Section 7.1.4. 8270 13.8. Media Type Registration 8272 Please update the "Media Types" registry at 8273 with the registration 8274 information in Section 7.3.5 for the media type "multipart/ 8275 byteranges". 8277 13.9. Port Registration 8279 Please update the "Service Name and Transport Protocol Port Number" 8280 registry at for the services on ports 80 and 443 that use UDP or TCP 8282 to: 8284 1. use this document as "Reference", and 8286 2. when currently unspecified, set "Assignee" to "IESG" and 8287 "Contact" to "IETF_Chair". 8289 14. References 8291 14.1. Normative References 8293 [Caching] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 8294 Ed., "HTTP Caching", draft-ietf-httpbis-cache-09 (work in 8295 progress), July 2020. 8297 [Messaging] 8298 Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 8299 Ed., "HTTP/1.1 Messaging", draft-ietf-httpbis-messaging-09 8300 (work in progress), July 2020. 8302 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 8303 RFC 793, DOI 10.17487/RFC0793, September 1981, 8304 . 8306 [RFC1950] Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data Format 8307 Specification version 3.3", RFC 1950, 8308 DOI 10.17487/RFC1950, May 1996, 8309 . 8311 [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification 8312 version 1.3", RFC 1951, DOI 10.17487/RFC1951, May 1996, 8313 . 8315 [RFC1952] Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and G. 8316 Randers-Pehrson, "GZIP file format specification version 8317 4.3", RFC 1952, DOI 10.17487/RFC1952, May 1996, 8318 . 8320 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 8321 Extensions (MIME) Part One: Format of Internet Message 8322 Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, 8323 . 8325 [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 8326 Extensions (MIME) Part Two: Media Types", RFC 2046, 8327 DOI 10.17487/RFC2046, November 1996, 8328 . 8330 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 8331 Requirement Levels", BCP 14, RFC 2119, 8332 DOI 10.17487/RFC2119, March 1997, 8333 . 8335 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 8336 Resource Identifier (URI): Generic Syntax", STD 66, 8337 RFC 3986, DOI 10.17487/RFC3986, January 2005, 8338 . 8340 [RFC4647] Phillips, A., Ed. and M. Davis, Ed., "Matching of Language 8341 Tags", BCP 47, RFC 4647, DOI 10.17487/RFC4647, September 8342 2006, . 8344 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 8345 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 8346 . 8348 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 8349 Specifications: ABNF", STD 68, RFC 5234, 8350 DOI 10.17487/RFC5234, January 2008, 8351 . 8353 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 8354 Housley, R., and W. Polk, "Internet X.509 Public Key 8355 Infrastructure Certificate and Certificate Revocation List 8356 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 8357 . 8359 [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying 8360 Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, 8361 September 2009, . 8363 [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in 8364 Internationalization in the IETF", BCP 166, RFC 6365, 8365 DOI 10.17487/RFC6365, September 2011, 8366 . 8368 [RFC7405] Kyzivat, P., "Case-Sensitive String Support in ABNF", 8369 RFC 7405, DOI 10.17487/RFC7405, December 2014, 8370 . 8372 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 8373 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 8374 May 2017, . 8376 [USASCII] American National Standards Institute, "Coded Character 8377 Set -- 7-bit American Standard Code for Information 8378 Interchange", ANSI X3.4, 1986. 8380 [Welch] Welch, T., "A Technique for High-Performance Data 8381 Compression", IEEE Computer 17(6), 8382 DOI 10.1109/MC.1984.1659158, June 1984, 8383 . 8385 14.2. Informative References 8387 [BCP13] Freed, N., Klensin, J., and T. Hansen, "Media Type 8388 Specifications and Registration Procedures", BCP 13, 8389 RFC 6838, January 2013, 8390 . 8392 [BCP178] Saint-Andre, P., Crocker, D., and M. Nottingham, 8393 "Deprecating the "X-" Prefix and Similar Constructs in 8394 Application Protocols", BCP 178, RFC 6648, June 2012, 8395 . 8397 [BCP35] Thaler, D., Ed., Hansen, T., and T. Hardie, "Guidelines 8398 and Registration Procedures for URI Schemes", BCP 35, 8399 RFC 7595, June 2015, 8400 . 8402 [Bujlow] Bujlow, T., Carela-Espanol, V., Sole-Pareta, J., and P. 8403 Barlet-Ros, "A Survey on Web Tracking: Mechanisms, 8404 Implications, and Defenses", 8405 DOI 10.1109/JPROC.2016.2637878, Proceedings of the 8406 IEEE 105(8), August 2017. 8408 [Err1912] RFC Errata, Erratum ID 1912, RFC 2978, 8409 . 8411 [Err5433] RFC Errata, Erratum ID 5433, RFC 2978, 8412 . 8414 [Georgiev] 8415 Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, 8416 D., and V. Shmatikov, "The Most Dangerous Code in the 8417 World: Validating SSL Certificates in Non-browser 8418 Software", DOI 10.1145/2382196.2382204, In Proceedings of 8419 the 2012 ACM Conference on Computer and Communications 8420 Security (CCS '12), pp. 38-49, October 2012. 8422 [ISO-8859-1] 8423 International Organization for Standardization, 8424 "Information technology -- 8-bit single-byte coded graphic 8425 character sets -- Part 1: Latin alphabet No. 1", ISO/ 8426 IEC 8859-1:1998, 1998. 8428 [Kri2001] Kristol, D., "HTTP Cookies: Standards, Privacy, and 8429 Politics", ACM Transactions on Internet Technology 1(2), 8430 November 2001, . 8432 [OWASP] van der Stock, A., Ed., "A Guide to Building Secure Web 8433 Applications and Web Services", The Open Web Application 8434 Security Project (OWASP) 2.0.1, July 2005, 8435 . 8437 [REST] Fielding, R., "Architectural Styles and the Design of 8438 Network-based Software Architectures", 8439 Doctoral Dissertation, University of California, Irvine, 8440 September 2000, 8441 . 8443 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 8444 RFC 1919, DOI 10.17487/RFC1919, March 1996, 8445 . 8447 [RFC1945] Berners-Lee, T., Fielding, R., and H. Nielsen, "Hypertext 8448 Transfer Protocol -- HTTP/1.0", RFC 1945, 8449 DOI 10.17487/RFC1945, May 1996, 8450 . 8452 [RFC2047] Moore, K., "MIME (Multipurpose Internet Mail Extensions) 8453 Part Three: Message Header Extensions for Non-ASCII Text", 8454 RFC 2047, DOI 10.17487/RFC2047, November 1996, 8455 . 8457 [RFC2068] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T. 8458 Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", 8459 RFC 2068, DOI 10.17487/RFC2068, January 1997, 8460 . 8462 [RFC2145] Mogul, J., Fielding, R., Gettys, J., and H. Nielsen, "Use 8463 and Interpretation of HTTP Version Numbers", RFC 2145, 8464 DOI 10.17487/RFC2145, May 1997, 8465 . 8467 [RFC2295] Holtman, K. and A. Mutz, "Transparent Content Negotiation 8468 in HTTP", RFC 2295, DOI 10.17487/RFC2295, March 1998, 8469 . 8471 [RFC2324] Masinter, L., "Hyper Text Coffee Pot Control Protocol 8472 (HTCPCP/1.0)", RFC 2324, DOI 10.17487/RFC2324, April 1998, 8473 . 8475 [RFC2557] Palme, F., Hopmann, A., Shelness, N., and E. Stefferud, 8476 "MIME Encapsulation of Aggregate Documents, such as HTML 8477 (MHTML)", RFC 2557, DOI 10.17487/RFC2557, March 1999, 8478 . 8480 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 8481 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 8482 Transfer Protocol -- HTTP/1.1", RFC 2616, 8483 DOI 10.17487/RFC2616, June 1999, 8484 . 8486 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., 8487 Leach, P., Luotonen, A., and L. Stewart, "HTTP 8488 Authentication: Basic and Digest Access Authentication", 8489 RFC 2617, DOI 10.17487/RFC2617, June 1999, 8490 . 8492 [RFC2774] Frystyk, H., Leach, P., and S. Lawrence, "An HTTP 8493 Extension Framework", RFC 2774, DOI 10.17487/RFC2774, 8494 February 2000, . 8496 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 8497 DOI 10.17487/RFC2818, May 2000, 8498 . 8500 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 8501 Procedures", BCP 19, RFC 2978, DOI 10.17487/RFC2978, 8502 October 2000, . 8504 [RFC3040] Cooper, I., Melve, I., and G. Tomlinson, "Internet Web 8505 Replication and Caching Taxonomy", RFC 3040, 8506 DOI 10.17487/RFC3040, January 2001, 8507 . 8509 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 8510 Rose, "DNS Security Introduction and Requirements", 8511 RFC 4033, DOI 10.17487/RFC4033, March 2005, 8512 . 8514 [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based 8515 Kerberos and NTLM HTTP Authentication in Microsoft 8516 Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006, 8517 . 8519 [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed 8520 Authoring and Versioning (WebDAV)", RFC 4918, 8521 DOI 10.17487/RFC4918, June 2007, 8522 . 8524 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, 8525 DOI 10.17487/RFC5322, October 2008, 8526 . 8528 [RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", 8529 RFC 5789, DOI 10.17487/RFC5789, March 2010, 8530 . 8532 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 8533 "Network Time Protocol Version 4: Protocol and Algorithms 8534 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 8535 . 8537 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 8538 Verification of Domain-Based Application Service Identity 8539 within Internet Public Key Infrastructure Using X.509 8540 (PKIX) Certificates in the Context of Transport Layer 8541 Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March 8542 2011, . 8544 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 8545 DOI 10.17487/RFC6265, April 2011, 8546 . 8548 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, 8549 DOI 10.17487/RFC6454, December 2011, 8550 . 8552 [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status 8553 Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, 8554 . 8556 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 8557 Protocol (HTTP/1.1): Message Syntax and Routing", 8558 RFC 7230, DOI 10.17487/RFC7230, June 2014, 8559 . 8561 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 8562 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 8563 DOI 10.17487/RFC7231, June 2014, 8564 . 8566 [RFC7232] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 8567 Protocol (HTTP/1.1): Conditional Requests", RFC 7232, 8568 DOI 10.17487/RFC7232, June 2014, 8569 . 8571 [RFC7233] Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed., 8572 "Hypertext Transfer Protocol (HTTP): Range Requests", 8573 RFC 7233, DOI 10.17487/RFC7233, June 2014, 8574 . 8576 [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 8577 Protocol (HTTP/1.1): Authentication", RFC 7235, 8578 DOI 10.17487/RFC7235, June 2014, 8579 . 8581 [RFC7538] Reschke, J., "The Hypertext Transfer Protocol Status Code 8582 308 (Permanent Redirect)", RFC 7538, DOI 10.17487/RFC7538, 8583 April 2015, . 8585 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 8586 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 8587 DOI 10.17487/RFC7540, May 2015, 8588 . 8590 [RFC7578] Masinter, L., "Returning Values from Forms: multipart/ 8591 form-data", RFC 7578, DOI 10.17487/RFC7578, July 2015, 8592 . 8594 [RFC7615] Reschke, J., "HTTP Authentication-Info and Proxy- 8595 Authentication-Info Response Header Fields", RFC 7615, 8596 DOI 10.17487/RFC7615, September 2015, 8597 . 8599 [RFC7616] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP 8600 Digest Access Authentication", RFC 7616, 8601 DOI 10.17487/RFC7616, September 2015, 8602 . 8604 [RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme", 8605 RFC 7617, DOI 10.17487/RFC7617, September 2015, 8606 . 8608 [RFC7694] Reschke, J., "Hypertext Transfer Protocol (HTTP) Client- 8609 Initiated Content-Encoding", RFC 7694, 8610 DOI 10.17487/RFC7694, November 2015, 8611 . 8613 [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP 8614 Alternative Services", RFC 7838, DOI 10.17487/RFC7838, 8615 April 2016, . 8617 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 8618 Writing an IANA Considerations Section in RFCs", BCP 26, 8619 RFC 8126, DOI 10.17487/RFC8126, June 2017, 8620 . 8622 [RFC8187] Reschke, J., "Indicating Character Encoding and Language 8623 for HTTP Header Field Parameters", RFC 8187, 8624 DOI 10.17487/RFC8187, September 2017, 8625 . 8627 [RFC8246] McManus, P., "HTTP Immutable Responses", RFC 8246, 8628 DOI 10.17487/RFC8246, September 2017, 8629 . 8631 [RFC8288] Nottingham, M., "Web Linking", RFC 8288, 8632 DOI 10.17487/RFC8288, October 2017, 8633 . 8635 [RFC8336] Nottingham, M. and E. Nygren, "The ORIGIN HTTP/2 Frame", 8636 RFC 8336, DOI 10.17487/RFC8336, March 2018, 8637 . 8639 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 8640 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 8641 . 8643 [Sniffing] 8644 WHATWG, "MIME Sniffing", 8645 . 8647 Appendix A. Collected ABNF 8649 In the collected ABNF below, list rules are expanded as per 8650 Section 5.5.1. 8652 Accept = [ ( media-range [ accept-params ] ) *( OWS "," OWS ( 8653 media-range [ accept-params ] ) ) ] 8654 Accept-Charset = ( ( charset / "*" ) [ weight ] ) *( OWS "," OWS ( ( 8655 charset / "*" ) [ weight ] ) ) 8656 Accept-Encoding = [ ( codings [ weight ] ) *( OWS "," OWS ( codings [ 8657 weight ] ) ) ] 8658 Accept-Language = ( language-range [ weight ] ) *( OWS "," OWS ( 8659 language-range [ weight ] ) ) 8660 Accept-Ranges = acceptable-ranges 8661 Allow = [ method *( OWS "," OWS method ) ] 8662 Authentication-Info = [ auth-param *( OWS "," OWS auth-param ) ] 8663 Authorization = credentials 8665 BWS = OWS 8667 Content-Encoding = content-coding *( OWS "," OWS content-coding ) 8668 Content-Language = language-tag *( OWS "," OWS language-tag ) 8669 Content-Length = 1*DIGIT 8670 Content-Location = absolute-URI / partial-URI 8671 Content-Range = range-unit SP ( range-resp / unsatisfied-range ) 8672 Content-Type = media-type 8674 Date = HTTP-date 8676 ETag = entity-tag 8677 Expect = "100-continue" 8679 From = mailbox 8681 GMT = %x47.4D.54 ; GMT 8683 HTTP-date = IMF-fixdate / obs-date 8684 Host = uri-host [ ":" port ] 8686 IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT 8687 If-Match = "*" / ( entity-tag *( OWS "," OWS entity-tag ) ) 8688 If-Modified-Since = HTTP-date 8689 If-None-Match = "*" / ( entity-tag *( OWS "," OWS entity-tag ) ) 8690 If-Range = entity-tag / HTTP-date 8691 If-Unmodified-Since = HTTP-date 8693 Last-Modified = HTTP-date 8694 Location = URI-reference 8695 Max-Forwards = 1*DIGIT 8697 OWS = *( SP / HTAB ) 8699 Proxy-Authenticate = challenge *( OWS "," OWS challenge ) 8700 Proxy-Authentication-Info = [ auth-param *( OWS "," OWS auth-param ) 8701 ] 8702 Proxy-Authorization = credentials 8704 RWS = 1*( SP / HTAB ) 8705 Range = ranges-specifier 8706 Referer = absolute-URI / partial-URI 8707 Retry-After = HTTP-date / delay-seconds 8709 Server = product *( RWS ( product / comment ) ) 8711 Trailer = field-name *( OWS "," OWS field-name ) 8713 URI-reference = 8714 User-Agent = product *( RWS ( product / comment ) ) 8716 Vary = ( "*" / field-name ) *( OWS "," OWS ( "*" / field-name ) ) 8717 Via = ( received-protocol RWS received-by [ RWS comment ] ) *( OWS 8718 "," OWS ( received-protocol RWS received-by [ RWS comment ] ) ) 8720 WWW-Authenticate = challenge *( OWS "," OWS challenge ) 8722 absolute-URI = 8723 absolute-path = 1*( "/" segment ) 8724 accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] 8725 accept-params = weight *accept-ext 8726 acceptable-ranges = ( range-unit *( OWS "," OWS range-unit ) ) / 8727 "none" 8728 asctime-date = day-name SP date3 SP time-of-day SP year 8729 auth-param = token BWS "=" BWS ( token / quoted-string ) 8730 auth-scheme = token 8731 authority = 8733 challenge = auth-scheme [ 1*SP ( token68 / [ auth-param *( OWS "," 8734 OWS auth-param ) ] ) ] 8735 charset = token 8736 codings = content-coding / "identity" / "*" 8737 comment = "(" *( ctext / quoted-pair / comment ) ")" 8738 complete-length = 1*DIGIT 8739 content-coding = token 8740 credentials = auth-scheme [ 1*SP ( token68 / [ auth-param *( OWS "," 8741 OWS auth-param ) ] ) ] 8742 ctext = HTAB / SP / %x21-27 ; '!'-''' 8743 / %x2A-5B ; '*'-'[' 8744 / %x5D-7E ; ']'-'~' 8745 / obs-text 8747 date1 = day SP month SP year 8748 date2 = day "-" month "-" 2DIGIT 8749 date3 = month SP ( 2DIGIT / ( SP DIGIT ) ) 8750 day = 2DIGIT 8751 day-name = %x4D.6F.6E ; Mon 8752 / %x54.75.65 ; Tue 8753 / %x57.65.64 ; Wed 8754 / %x54.68.75 ; Thu 8755 / %x46.72.69 ; Fri 8756 / %x53.61.74 ; Sat 8757 / %x53.75.6E ; Sun 8758 day-name-l = %x4D.6F.6E.64.61.79 ; Monday 8759 / %x54.75.65.73.64.61.79 ; Tuesday 8760 / %x57.65.64.6E.65.73.64.61.79 ; Wednesday 8761 / %x54.68.75.72.73.64.61.79 ; Thursday 8762 / %x46.72.69.64.61.79 ; Friday 8763 / %x53.61.74.75.72.64.61.79 ; Saturday 8764 / %x53.75.6E.64.61.79 ; Sunday 8765 delay-seconds = 1*DIGIT 8767 entity-tag = [ weak ] opaque-tag 8768 etagc = "!" / %x23-7E ; '#'-'~' 8769 / obs-text 8771 field-content = field-vchar [ 1*( SP / HTAB / field-vchar ) 8772 field-vchar ] 8773 field-name = token 8774 field-value = *field-content 8775 field-vchar = VCHAR / obs-text 8776 first-pos = 1*DIGIT 8778 hour = 2DIGIT 8779 http-URI = "http://" authority path-abempty [ "?" query ] 8780 https-URI = "https://" authority path-abempty [ "?" query ] 8782 incl-range = first-pos "-" last-pos 8783 int-range = first-pos "-" [ last-pos ] 8785 language-range = 8786 language-tag = 8787 last-pos = 1*DIGIT 8789 mailbox = 8790 media-range = ( "*/*" / ( type "/*" ) / ( type "/" subtype ) ) *( OWS 8791 ";" OWS parameter ) 8792 media-type = type "/" subtype *( OWS ";" OWS parameter ) 8793 method = token 8794 minute = 2DIGIT 8795 month = %x4A.61.6E ; Jan 8796 / %x46.65.62 ; Feb 8797 / %x4D.61.72 ; Mar 8798 / %x41.70.72 ; Apr 8799 / %x4D.61.79 ; May 8800 / %x4A.75.6E ; Jun 8801 / %x4A.75.6C ; Jul 8802 / %x41.75.67 ; Aug 8803 / %x53.65.70 ; Sep 8804 / %x4F.63.74 ; Oct 8805 / %x4E.6F.76 ; Nov 8806 / %x44.65.63 ; Dec 8808 obs-date = rfc850-date / asctime-date 8809 obs-text = %x80-FF 8810 opaque-tag = DQUOTE *etagc DQUOTE 8811 other-range = 1*( %x21-2B ; '!'-'+' 8812 / %x2D-7E ; '-'-'~' 8813 ) 8815 parameter = parameter-name "=" parameter-value 8816 parameter-name = token 8817 parameter-value = ( token / quoted-string ) 8818 partial-URI = relative-part [ "?" query ] 8819 path-abempty = 8820 port = 8821 product = token [ "/" product-version ] 8822 product-version = token 8823 protocol-name = 8824 protocol-version = 8825 pseudonym = token 8827 qdtext = HTAB / SP / "!" / %x23-5B ; '#'-'[' 8828 / %x5D-7E ; ']'-'~' 8829 / obs-text 8830 query = 8831 quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) 8832 quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE 8833 qvalue = ( "0" [ "." *3DIGIT ] ) / ( "1" [ "." *3"0" ] ) 8835 range-resp = incl-range "/" ( complete-length / "*" ) 8836 range-set = range-spec *( OWS "," OWS range-spec ) 8837 range-spec = int-range / suffix-range / other-range 8838 range-unit = token 8839 ranges-specifier = range-unit "=" range-set 8840 received-by = pseudonym [ ":" port ] 8841 received-protocol = [ protocol-name "/" ] protocol-version 8842 relative-part = 8843 rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT 8845 second = 2DIGIT 8846 segment = 8847 subtype = token 8848 suffix-length = 1*DIGIT 8849 suffix-range = "-" suffix-length 8851 tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / 8852 "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA 8853 time-of-day = hour ":" minute ":" second 8854 token = 1*tchar 8855 token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) 8856 *"=" 8857 type = token 8859 unsatisfied-range = "*/" complete-length 8860 uri-host = 8862 weak = %x57.2F ; W/ 8863 weight = OWS ";" OWS "q=" qvalue 8865 year = 4DIGIT 8867 Appendix B. Changes from previous RFCs 8869 B.1. Changes from RFC 2818 8871 None yet. 8873 B.2. Changes from RFC 7230 8875 The sections introducing HTTP's design goals, history, architecture, 8876 conformance criteria, protocol versioning, URIs, message routing, and 8877 header fields have been moved here (without substantive change). 8879 "Field value" now refers to the value after multiple instances are 8880 combined with commas -- by far the most common use. To refer to a 8881 single header line's value, use "field line value". (Section 5) 8883 Trailer field semantics now transcend the specifics of chunked 8884 encoding. Use of trailer fields has been further limited to only 8885 allow generation as a trailer field when the sender knows the field 8886 defines that usage and to only allow merging into the header section 8887 if the recipient knows the corresponding field definition permits and 8888 defines how to merge. In all other cases, implementations are 8889 encouraged to either store the trailer fields separately or discard 8890 them instead of merging. (Section 5.6.2) 8892 Made the priority of the absolute form of the request URI over the 8893 Host header by origin servers explicit, to align with proxy handling. 8894 (Section 6.6) 8896 The grammar definition for the Via field's "received-by" was expanded 8897 in 7230 due to changes in the URI grammar for host [RFC3986] that are 8898 not desirable for Via. For simplicity, we have removed uri-host from 8899 the received-by production because it can be encompassed by the 8900 existing grammar for pseudonym. In particular, this change removed 8901 comma from the allowed set of charaters for a host name in received- 8902 by. (Section 6.7.1) 8904 Added status code 308 (previously defined in [RFC7538]) so that it's 8905 defined closer to status codes 301, 302, and 307. (Section 10.4.9) 8907 Added status code 422 (previously defined in Section 11.2 of 8908 [RFC4918]) because of its general applicability. (Section 10.5.20) 8910 The description of an origin and authoritative access to origin 8911 servers has been extended for both "http" and "https" URIs to account 8912 for alternative services and secured connections that are not 8913 necessarily based on TCP. (Section 2.5.1, Section 2.5.2, 8914 Section 6.2, Section 6.4) 8916 B.3. Changes from RFC 7231 8918 Minimum URI lengths to be supported by implementations are now 8919 recommended. (Section 2.5) 8921 Clarify that control characters in field values are to be rejected or 8922 mapped to SP. (Section 5.4) 8924 The term "effective request URI" has been replaced with "target URI". 8925 (Section 6.1) 8927 Range units are compared in a case insensitive fashion. 8928 (Section 7.1.4) 8930 Restrictions on client retries have been loosened, to reflect 8931 implementation behavior. (Section 8.2.2) 8933 Clarified that request bodies on GET and DELETE are not 8934 interoperable. (Section 8.3.1, Section 8.3.5) 8935 Removed a superfluous requirement about setting Content-Length from 8936 the description of the OPTIONS method. (Section 8.3.7) 8938 Allow Accept and Accept-Encoding in response messages; the latter was 8939 introduced by [RFC7694]. (Section 9.4) 8941 B.4. Changes from RFC 7232 8943 Clarify that If-Unmodified-Since doesn't apply to a resource without 8944 a concept of modification time. (Section 9.2.6) 8946 B.5. Changes from RFC 7233 8948 Refactored the range-unit and ranges-specifier grammars to simplify 8949 and reduce artificial distinctions between bytes and other 8950 (extension) range units, removing the overlapping grammar of other- 8951 range-unit by defining range units generically as a token and placing 8952 extensions within the scope of a range-spec (other-range). This 8953 disambiguates the role of list syntax (commas) in all range sets, 8954 including extension range units, for indicating a range-set of more 8955 than one range. Moving the extension grammar into range specifiers 8956 also allows protocol specific to byte ranges to be specified 8957 separately. 8959 B.6. Changes from RFC 7235 8961 None yet. 8963 B.7. Changes from RFC 7538 8965 None yet. 8967 B.8. Changes from RFC 7615 8969 None yet. 8971 Appendix C. Changes from RFC 7694 8973 This specification includes the extension defined in [RFC7694], but 8974 leaves out examples and deployment considerations. 8976 Appendix D. Change Log 8978 This section is to be removed before publishing as an RFC. 8980 D.1. Between RFC723x and draft 00 8982 The changes were purely editorial: 8984 o Change boilerplate and abstract to indicate the "draft" status, 8985 and update references to ancestor specifications. 8987 o Remove version "1.1" from document title, indicating that this 8988 specification applies to all HTTP versions. 8990 o Adjust historical notes. 8992 o Update links to sibling specifications. 8994 o Replace sections listing changes from RFC 2616 by new empty 8995 sections referring to RFC 723x. 8997 o Remove acknowledgements specific to RFC 723x. 8999 o Move "Acknowledgements" to the very end and make them unnumbered. 9001 D.2. Since draft-ietf-httpbis-semantics-00 9003 The changes in this draft are editorial, with respect to HTTP as a 9004 whole, to merge core HTTP semantics into this document: 9006 o Merged introduction, architecture, conformance, and ABNF 9007 extensions from RFC 7230 (Messaging). 9009 o Rearranged architecture to extract conformance, http(s) schemes, 9010 and protocol versioning into a separate major section. 9012 o Moved discussion of MIME differences to [Messaging] since that is 9013 primarily concerned with transforming 1.1 messages. 9015 o Merged entire content of RFC 7232 (Conditional Requests). 9017 o Merged entire content of RFC 7233 (Range Requests). 9019 o Merged entire content of RFC 7235 (Auth Framework). 9021 o Moved all extensibility tips, registration procedures, and 9022 registry tables from the IANA considerations to normative 9023 sections, reducing the IANA considerations to just instructions 9024 that will be removed prior to publication as an RFC. 9026 D.3. Since draft-ietf-httpbis-semantics-01 9028 o Improve [Welch] citation () 9031 o Remove HTTP/1.1-ism about Range Requests 9032 () 9034 o Cite RFC 8126 instead of RFC 5226 () 9037 o Cite RFC 7538 instead of RFC 7238 () 9040 o Cite RFC 8288 instead of RFC 5988 () 9043 o Cite RFC 8187 instead of RFC 5987 () 9046 o Cite RFC 7578 instead of RFC 2388 () 9049 o Cite RFC 7595 instead of RFC 4395 () 9052 o improve ABNF readability for qdtext (, ) 9055 o Clarify "resource" vs "representation" in definition of status 9056 code 416 (, 9057 ) 9059 o Resolved erratum 4072, no change needed here 9060 (, 9061 ) 9063 o Clarify DELETE status code suggestions 9064 (, 9065 ) 9067 o In Section 7.3.4, fix ABNF for "other-range-resp" to use VCHAR 9068 instead of CHAR (, 9069 ) 9071 o Resolved erratum 5162, no change needed here 9072 (, 9073 ) 9075 o Replace "response code" with "response status code" and "status- 9076 code" (the ABNF production name from the HTTP/1.1 message format) 9077 by "status code" (, 9078 ) 9080 o Added a missing word in Section 10.4 (, ) 9083 o In Section 5.5, fixed an example that had trailing whitespace 9084 where it shouldn't (, ) 9087 o In Section 10.3.7, remove words that were potentially misleading 9088 with respect to the relation to the requested ranges 9089 (, 9090 ) 9092 D.4. Since draft-ietf-httpbis-semantics-02 9094 o Included (Proxy-)Auth-Info header field definition from RFC 7615 9095 () 9097 o In Section 8.3.3, clarify POST caching 9098 () 9100 o Add Section 10.5.19 to reserve the 418 status code 9101 () 9103 o In Section 2.1 and Section 9.1.1, clarified when a response can be 9104 sent () 9106 o In Section 7.1.1.1, explain the difference between the "token" 9107 production, the RFC 2978 ABNF for charset names, and the actual 9108 registration practice (, ) 9111 o In Section 2.5, removed the fragment component in the URI scheme 9112 definitions as per Section 4.3 of [RFC3986], furthermore moved 9113 fragment discussion into a separate section 9114 (, 9115 , ) 9118 o In Section 4.2, add language about minor HTTP version number 9119 defaulting () 9121 o Added Section 10.5.20 for status code 422, previously defined in 9122 Section 11.2 of [RFC4918] () 9125 o In Section 10.5.17, fixed prose about byte range comparison 9126 (, 9127 ) 9129 o In Section 2.1, explain that request/response correlation is 9130 version specific () 9133 D.5. Since draft-ietf-httpbis-semantics-03 9135 o In Section 10.4.9, include status code 308 from RFC 7538 9136 () 9138 o In Section 7.1.1, clarify that the charset parameter value is 9139 case-insensitive due to the definition in RFC 2046 9140 () 9142 o Define a separate registry for HTTP header field names 9143 () 9145 o In Section 9.4, refactor and clarify description of wildcard ("*") 9146 handling () 9148 o Deprecate Accept-Charset () 9151 o In Section 9.2.1, mention Cache-Control: immutable 9152 () 9154 o In Section 5.1, clarify when header field combination is allowed 9155 () 9157 o In Section 13.4, instruct IANA to mark Content-MD5 as obsolete 9158 () 9160 o Use RFC 7405 ABNF notation for case-sensitive string constants 9161 () 9163 o Rework Section 2.1 to be more version-independent 9164 () 9166 o In Section 8.3.5, clarify that DELETE needs to be successful to 9167 invalidate cache (, ) 9170 D.6. Since draft-ietf-httpbis-semantics-04 9172 o In Section 5.4, fix field-content ABNF 9173 (, 9174 ) 9176 o Move Section 5.4.1.4 into its own section 9177 () 9179 o In Section 7.2.1, reference MIME Sniffing 9180 () 9182 o In Section 5.5, simplify the #rule mapping for recipients 9183 (, 9184 ) 9186 o In Section 8.3.7, remove misleading text about "extension" of HTTP 9187 is needed to define method payloads () 9190 o Fix editorial issue in Section 7 () 9193 o In Section 10.5.20, rephrase language not to use "entity" anymore, 9194 and also avoid lowercase "may" () 9197 o Move discussion of retries from [Messaging] into Section 8.2.2 9198 () 9200 D.7. Since draft-ietf-httpbis-semantics-05 9202 o Moved transport-independent part of the description of trailers 9203 into Section 5.6 () 9205 o Loosen requirements on retries based upon implementation behavior 9206 () 9208 o In Section 13.9, update IANA port registry for TCP/UDP on ports 80 9209 and 443 () 9211 o In Section 5.7, revise guidelines for new header field names 9212 () 9214 o In Section 8.2.3, remove concept of "cacheable methods" in favor 9215 of prose (, 9216 ) 9218 o In Section 12.1, mention that the concept of authority can be 9219 modified by protocol extensions () 9222 o Create new subsection on payload body in Section 7.3.3, taken from 9223 portions of message body () 9226 o Moved definition of "Whitespace" into new container "Generic 9227 Syntax" () 9229 o In Section 2.5, recommend minimum URI size support for 9230 implementations () 9232 o In Section 7.1.4, refactored the range-unit and ranges-specifier 9233 grammars (, 9234 ) 9236 o In Section 8.3.1, caution against a request body more strongly 9237 () 9239 o Reorganized text in Section 5.7 () 9242 o In Section 10.5.4, replace "authorize" with "fulfill" 9243 () 9245 o In Section 8.3.7, removed a misleading statement about Content- 9246 Length (, 9247 ) 9249 o In Section 12.1, add text from RFC 2818 9250 () 9252 o Changed "cacheable by default" to "heuristically cacheable" 9253 throughout () 9255 D.8. Since draft-ietf-httpbis-semantics-06 9257 o In Section 6.7.1, simplify received-by grammar (and disallow comma 9258 character) () 9260 o In Section 5.3, give guidance on interoperable field names 9261 () 9263 o In Section 1.2.1, define the semantics and possible replacement of 9264 whitespace when it is known to occur (, ) 9267 o In Section 5, introduce field terminology and distinguish between 9268 field line values and field values; use terminology consistently 9269 throughout () 9271 o Moved #rule definition into Section 5.4 and whitespace into 9272 Section 1.2 () 9274 o In Section 7.1.4, explicitly call out range unit names as case- 9275 insensitive, and encourage registration 9276 () 9278 o In Section 7.1.2, explicitly call out content codings as case- 9279 insensitive, and encourage registration 9280 () 9282 o In Section 5.3, explicitly call out field names as case- 9283 insensitive () 9285 o In Section 12.11, cite [Bujlow] () 9288 o In Section 10, formally define "final" and "interim" status codes 9289 () 9291 o In Section 8.3.5, caution against a request body more strongly 9292 () 9294 o In Section 11.2.3, note that Etag can be used in trailers 9295 () 9297 o In Section 13.4, consider reserved fields as well 9298 () 9300 o In Section 2.5.4, be more correct about what was deprecated by RFC 9301 3986 (, 9302 ) 9304 o In Section 5.1, recommend comma SP when combining field lines 9305 () 9307 o In Section 6.6, make explicit requirements on origin server to use 9308 authority from absolute-form when available 9309 () 9311 o In Section 2.5.1, Section 2.5.2, Section 6.2, and Section 6.4, 9312 refactored schemes to define origin and authoritative access to an 9313 origin server for both "http" and "https" URIs to account for 9314 alternative services and secured connections that are not 9315 necessarily based on TCP () 9318 o In Section 1.1, reference RFC 8174 as well 9319 () 9321 D.9. Since draft-ietf-httpbis-semantics-07 9323 o In Section 9.3, explicitly reference the definition of 9324 representation data as including any content codings 9325 () 9327 o Move TE: trailers from [Messaging] into Section 5.6.2 9328 () 9330 o In Section 7.2.4, adjust requirements for handling multiple 9331 content-length values () 9334 o In Section 9.2.3 and Section 9.2.4, clarified condition evaluation 9335 () 9337 o In Section 5.4, remove concept of obs-fold, as that is 9338 HTTP/1-specific () 9340 o In Section 7.4, introduce the concept of request payload 9341 negotiation (Section 7.4.3) and define for Accept-Encoding 9342 () 9344 o In Section 10.3.6, Section 10.5.9, and Section 10.5.14, remove 9345 HTTP/1-specific, connection-related requirements 9346 () 9348 o In Section 8.3.6, correct language about what is forwarded 9349 () 9351 o Throughout, replace "effective request URI", "request-target" and 9352 similar with "target URI" () 9355 o In Section 5.7 and Section 10.7.2, describe how extensions should 9356 consider scope of applicability () 9359 o In Section 2.1, don't rely on the HTTP/1.1 Messaging specification 9360 to define "message" () 9363 o In Section 7.2.5 and Section 9.6.2, note that URL resolution is 9364 necessary () 9366 o In Section 7, explicitly reference 206 as one of the status codes 9367 that provide representation data () 9370 o In Section 9.2.6, refine requirements so that they don't apply to 9371 resources without a concept of modification time 9372 () 9374 o In Section 11.3.2, specify the scope as a request, not a target 9375 resource () 9377 o In Section 2.1, introduce concept of "complete" messages 9378 () 9380 o In Section 6.1, Section 8.3.6, and Section 8.3.7, refine use of 9381 "request target" () 9384 o Throughout, remove "status-line" and "request-line", as these are 9385 HTTP/1.1-specific () 9388 D.10. Since draft-ietf-httpbis-semantics-08 9390 o In Section 10.5.17, remove duplicate definition of what makes a 9391 range satisfiable and refer instead to each range unit's 9392 definition () 9394 o In Section 7.1.4.2 and Section 9.3, clarify that a selected 9395 representation of zero length can only be satisfiable as a suffix 9396 range and that a server can still ignore Range for that case 9397 () 9399 o In Section 9.4.1 and Section 10.5.16, allow "Accept" as response 9400 field () 9402 o Appendix A now uses the sender variant of the "#" list expansion 9403 () 9405 o In Section 11.1.4, make the field list-based even when "*" is 9406 present () 9408 o In Section 5.3.2, add optional "Comments" entry 9409 () 9411 o In Section 5.8, reserve "*" as field name 9412 () 9414 o In Section 13.2, reserve "*" as method name 9415 () 9417 o In Section 9.2.3 and Section 9.2.4, state that multiple "*" is 9418 unlikely to be interoperable () 9421 o In Section 9.4.1, avoid use of obsolete media type parameter on 9422 text/html (, 9423 ) 9425 o Rephrase prose in Section 2.1 to become version-agnostic 9426 () 9428 o In Section 5.4, instruct recipients how to deal with control 9429 characters in field values () 9432 o In Section 5.4, update note about field ABNF 9433 () 9435 o Add Section 4 about Extending and Versioning HTTP 9436 () 9438 o In Section 10.1, include status 308 in list of heuristically 9439 cacheable status codes () 9442 o In Section 7.2.2, make it clearer that "identity" is not to be 9443 included () 9445 Index 9447 1 9448 100 Continue (status code) 127 9449 100-continue (expect value) 93 9450 101 Switching Protocols (status code) 127 9451 1xx Informational (status code class) 126 9453 2 9454 200 OK (status code) 127 9455 201 Created (status code) 128 9456 202 Accepted (status code) 128 9457 203 Non-Authoritative Information (status code) 129 9458 204 No Content (status code) 129 9459 205 Reset Content (status code) 130 9460 206 Partial Content (status code) 130 9461 2xx Successful (status code class) 127 9463 3 9464 300 Multiple Choices (status code) 135 9465 301 Moved Permanently (status code) 136 9466 302 Found (status code) 136 9467 303 See Other (status code) 137 9468 304 Not Modified (status code) 137 9469 305 Use Proxy (status code) 138 9470 306 (Unused) (status code) 138 9471 307 Temporary Redirect (status code) 138 9472 308 Permanent Redirect (status code) 139 9473 3xx Redirection (status code class) 133 9475 4 9476 400 Bad Request (status code) 139 9477 401 Unauthorized (status code) 139 9478 402 Payment Required (status code) 140 9479 403 Forbidden (status code) 140 9480 404 Not Found (status code) 140 9481 405 Method Not Allowed (status code) 141 9482 406 Not Acceptable (status code) 141 9483 407 Proxy Authentication Required (status code) 141 9484 408 Request Timeout (status code) 141 9485 409 Conflict (status code) 142 9486 410 Gone (status code) 142 9487 411 Length Required (status code) 142 9488 412 Precondition Failed (status code) 143 9489 413 Payload Too Large (status code) 143 9490 414 URI Too Long (status code) 143 9491 415 Unsupported Media Type (status code) 143 9492 416 Range Not Satisfiable (status code) 144 9493 417 Expectation Failed (status code) 144 9494 418 (Unused) (status code) 145 9495 422 Unprocessable Payload (status code) 145 9496 426 Upgrade Required (status code) 145 9497 4xx Client Error (status code class) 139 9499 5 9500 500 Internal Server Error (status code) 146 9501 501 Not Implemented (status code) 146 9502 502 Bad Gateway (status code) 146 9503 503 Service Unavailable (status code) 146 9504 504 Gateway Timeout (status code) 146 9505 505 HTTP Version Not Supported (status code) 147 9506 5xx Server Error (status code class) 145 9508 A 9509 Accept header field 109 9510 Accept-Charset header field 111 9511 Accept-Encoding header field 112 9512 Accept-Language header field 114 9513 Accept-Ranges header field 165 9514 Allow header field 165 9515 Authentication-Info header field 163 9516 Authorization header field 118 9517 accelerator 14 9518 authoritative response 167 9520 B 9521 browser 11 9523 C 9524 CONNECT method 88 9525 Canonical Root URI 117 9526 Content-Encoding header field 63 9527 Content-Language header field 64 9528 Content-Length header field 64 9529 Content-Location header field 66 9530 Content-MD5 header field 177 9531 Content-Range header field 70 9532 Content-Type header field 62 9533 cache 15 9534 cacheable 16 9535 captive portal 15 9536 client 11 9537 complete 12 9538 compress (Coding Format) 56 9539 compress (content coding) 55 9540 conditional request 96 9541 connection 11 9542 content coding 55 9543 content negotiation 9 9545 D 9546 DELETE method 87 9547 Date header field 149 9548 Delimiters 31 9549 deflate (Coding Format) 56 9550 deflate (content coding) 55 9551 downstream 14 9553 E 9554 ETag field 157 9555 Expect header field 93 9556 effective request URI 47 9558 F 9559 Fields 9560 Accept 109 9561 Accept-Charset 111 9562 Accept-Encoding 112 9563 Accept-Language 114 9564 Accept-Ranges 165 9565 Allow 165 9566 Authentication-Info 163 9567 Authorization 118 9568 Content-Encoding 63 9569 Content-Language 64 9570 Content-Length 64 9571 Content-Location 66 9572 Content-MD5 177 9573 Content-Range 70 9574 Content-Type 62 9575 Date 149 9576 ETag 157 9577 Expect 93 9578 From 121 9579 Host 48 9580 If-Match 100 9581 If-Modified-Since 103 9582 If-None-Match 101 9583 If-Range 105 9584 If-Unmodified-Since 104 9585 Last-Modified 155 9586 Location 150 9587 Max-Forwards 96 9588 Proxy-Authenticate 163 9589 Proxy-Authentication-Info 164 9590 Proxy-Authorization 118 9591 Range 106 9592 Referer 122 9593 Retry-After 151 9594 Server 166 9595 Trailer 37 9596 User-Agent 123 9597 Vary 152 9598 Via 49 9599 WWW-Authenticate 162 9600 Fragment Identifiers 20 9601 From header field 121 9602 field 25 9603 field line 26 9604 field line value 26 9605 field name 26 9606 field value 26 9608 G 9609 GET method 82 9610 Grammar 9611 absolute-path 17 9612 absolute-URI 17 9613 Accept 109 9614 Accept-Charset 111 9615 Accept-Encoding 112 9616 accept-ext 109 9617 Accept-Language 114 9618 accept-params 109 9619 Accept-Ranges 165 9620 acceptable-ranges 165 9621 Allow 165 9622 ALPHA 10 9623 asctime-date 34 9624 auth-param 115 9625 auth-scheme 115 9626 Authentication-Info 163 9627 authority 17 9628 Authorization 118 9629 BWS 11 9630 challenge 116 9631 charset 53 9632 codings 112 9633 comment 32 9634 complete-length 70 9635 content-coding 55 9636 Content-Encoding 63 9637 Content-Language 64 9638 Content-Length 65 9639 Content-Location 66 9640 Content-Range 70 9641 Content-Type 62 9642 CR 10 9643 credentials 116 9644 CRLF 10 9645 ctext 32 9646 CTL 10 9647 Date 149 9648 date1 34 9649 day 34 9650 day-name 34 9651 day-name-l 34 9652 delay-seconds 151 9653 DIGIT 10 9654 DQUOTE 10 9655 entity-tag 158 9656 ETag 158 9657 etagc 158 9658 Expect 93 9659 field-content 30 9660 field-name 28, 38 9661 field-value 30 9662 field-vchar 30 9663 first-pos 58, 70 9664 From 121 9665 GMT 34 9666 HEXDIG 10 9667 Host 48 9668 hour 34 9669 HTAB 10 9670 HTTP-date 33 9671 http-URI 18 9672 https-URI 19 9673 If-Match 100 9674 If-Modified-Since 103 9675 If-None-Match 101 9676 If-Range 106 9677 If-Unmodified-Since 104 9678 IMF-fixdate 34 9679 incl-range 70 9680 int-range 58 9681 language-range 114 9682 language-tag 57 9683 Last-Modified 155 9684 last-pos 58, 70 9685 LF 10 9686 Location 150 9687 Max-Forwards 96 9688 media-range 109 9689 media-type 53 9690 method 78 9691 minute 34 9692 month 34 9693 obs-date 34 9694 obs-text 32 9695 OCTET 10 9696 opaque-tag 158 9697 other-range 59 9698 OWS 11 9699 parameter 33 9700 parameter-name 33 9701 parameter-value 33 9702 partial-URI 17 9703 port 17 9704 product 123 9705 product-version 123 9706 protocol-name 49 9707 protocol-version 49 9708 Proxy-Authenticate 163 9709 Proxy-Authentication-Info 164 9710 Proxy-Authorization 118 9711 pseudonym 49 9712 qdtext 32 9713 query 17 9714 quoted-pair 32 9715 quoted-string 32 9716 qvalue 77 9717 Range 106 9718 range-resp 70 9719 range-set 58 9720 range-spec 58 9721 range-unit 57 9722 ranges-specifier 58 9723 received-by 49 9724 received-protocol 49 9725 Referer 122 9726 Retry-After 151 9727 rfc850-date 34 9728 RWS 11 9729 second 34 9730 segment 17 9731 Server 166 9732 SP 10 9733 subtype 53 9734 suffix-length 59 9735 suffix-range 59 9736 tchar 32 9737 time-of-day 34 9738 token 32 9739 token68 115 9740 Trailer 38 9741 type 53 9742 unsatisfied-range 70 9743 uri-host 17 9744 URI-reference 17 9745 User-Agent 123 9746 Vary 152 9747 VCHAR 10 9748 Via 49 9749 weak 158 9750 weight 77 9751 WWW-Authenticate 162 9752 year 34 9753 gateway 14 9754 gzip (Coding Format) 56 9755 gzip (content coding) 55 9757 H 9758 HEAD method 83 9759 Header Fields 9760 Accept 109 9761 Accept-Charset 111 9762 Accept-Encoding 112 9763 Accept-Language 114 9764 Accept-Ranges 165 9765 Allow 165 9766 Authentication-Info 163 9767 Authorization 118 9768 Content-Encoding 63 9769 Content-Language 64 9770 Content-Length 64 9771 Content-Location 66 9772 Content-MD5 177 9773 Content-Range 70 9774 Content-Type 62 9775 Date 149 9776 ETag 157 9777 Expect 93 9778 From 121 9779 Host 48 9780 If-Match 100 9781 If-Modified-Since 103 9782 If-None-Match 101 9783 If-Range 105 9784 If-Unmodified-Since 104 9785 Last-Modified 155 9786 Location 150 9787 Max-Forwards 96 9788 Proxy-Authenticate 163 9789 Proxy-Authentication-Info 164 9790 Proxy-Authorization 118 9791 Range 106 9792 Referer 122 9793 Retry-After 151 9794 Server 166 9795 Trailer 37 9796 User-Agent 123 9797 Vary 152 9798 Via 49 9799 WWW-Authenticate 162 9800 Host header field 48 9801 header section 25 9802 http URI scheme 18 9803 https URI scheme 18 9805 I 9806 If-Match header field 100 9807 If-Modified-Since header field 103 9808 If-None-Match header field 101 9809 If-Range header field 105 9810 If-Unmodified-Since header field 104 9811 idempotent 81 9812 inbound 14 9813 incomplete 12 9814 interception proxy 15 9815 intermediary 13 9817 L 9818 Last-Modified header field 155 9819 Location header field 150 9821 M 9822 Max-Forwards header field 96 9823 Media Type 9824 multipart/byteranges 72 9825 multipart/x-byteranges 72 9826 message 12 9827 metadata 153 9828 multipart/byteranges Media Type 72 9829 multipart/x-byteranges Media Type 72 9831 N 9832 non-transforming proxy 51 9834 O 9835 OPTIONS method 90 9836 origin 42 9837 origin server 11 9838 outbound 14 9840 P 9841 POST method 84 9842 PUT method 85 9843 Protection Space 117 9844 Proxy-Authenticate header field 163 9845 Proxy-Authentication-Info header field 164 9846 Proxy-Authorization header field 118 9847 payload 68 9848 phishing 167 9849 proxy 14 9851 R 9852 Range header field 106 9853 Realm 117 9854 Referer header field 122 9855 Retry-After header field 151 9856 recipient 11 9857 representation 52 9858 request 12 9859 resource 16 9860 response 12 9861 reverse proxy 14 9863 S 9864 Server header field 166 9865 Status Code 124 9866 Status Codes 9867 Final 125 9868 Informational 125 9869 Interim 125 9870 Status Codes Classes 9871 1xx Informational 126 9872 2xx Successful 127 9873 3xx Redirection 133 9874 4xx Client Error 139 9875 5xx Server Error 145 9876 safe 80 9877 secured 18 9878 selected representation 52, 96, 153 9879 sender 11 9880 server 11 9881 spider 11 9883 T 9884 TRACE method 91 9885 Trailer Fields 9886 ETag 157 9887 Trailer header field 37 9888 target URI 41 9889 target resource 41 9890 trailer fields 36 9891 trailer section 25 9892 trailers 36 9893 transforming proxy 51 9894 transparent proxy 15 9895 tunnel 15 9897 U 9898 URI 9899 origin 42 9900 URI scheme 9901 http 18 9902 https 18 9903 User-Agent header field 123 9904 upstream 14 9905 user agent 11 9907 V 9908 Vary header field 152 9909 Via header field 49 9910 validator 153 9911 strong 154 9912 weak 154 9914 W 9915 WWW-Authenticate header field 162 9917 X 9918 x-compress (content coding) 55 9919 x-gzip (content coding) 55 9921 Acknowledgments 9923 This edition of the HTTP specification builds on the many 9924 contributions that went into RFC 1945, RFC 2068, RFC 2145, RFC 2616, 9925 and RFC 2818, including substantial contributions made by the 9926 previous authors, editors, and Working Group Chairs: Tim Berners-Lee, 9927 Ari Luotonen, Roy T. Fielding, Henrik Frystyk Nielsen, Jim Gettys, 9928 Jeffrey C. Mogul, Larry Masinter, Paul J. Leach, Eric Rescorla, and 9929 Yves Lafon. 9931 See Section 10 of [RFC7230] for further acknowledgements from prior 9932 revisions. 9934 In addition, this document has reincorporated the HTTP Authentication 9935 Framework, previously defined in RFC 7235 and RFC 2617. We thank 9936 John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott 9937 D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart 9938 for their work on that specification. See Section 6 of [RFC2617] for 9939 further acknowledgements. 9941 [[newacks: New acks to be added here.]] 9943 Authors' Addresses 9945 Roy T. Fielding (editor) 9946 Adobe 9947 345 Park Ave 9948 San Jose, CA 95110 9949 United States of America 9951 EMail: fielding@gbiv.com 9952 URI: https://roy.gbiv.com/ 9954 Mark Nottingham (editor) 9955 Fastly 9957 EMail: mnot@mnot.net 9958 URI: https://www.mnot.net/ 9960 Julian F. Reschke (editor) 9961 greenbytes GmbH 9962 Hafenweg 16 9963 Muenster 48155 9964 Germany 9966 EMail: julian.reschke@greenbytes.de 9967 URI: https://greenbytes.de/tech/webdav/