-
Notifications
You must be signed in to change notification settings - Fork 43
/
rfc9112.xml
3023 lines (2896 loc) · 129 KB
/
rfc9112.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type='text/xsl' href='lib/myxml2rfc.xslt'?>
<!DOCTYPE rfc [
<!ENTITY MAY "<bcp14>MAY</bcp14>">
<!ENTITY MUST "<bcp14>MUST</bcp14>">
<!ENTITY MUST-NOT "<bcp14>MUST NOT</bcp14>">
<!ENTITY NOT-RECOMMENDED "<bcp14>NOT RECOMMENDED</bcp14>">
<!ENTITY OPTIONAL "<bcp14>OPTIONAL</bcp14>">
<!ENTITY RECOMMENDED "<bcp14>RECOMMENDED</bcp14>">
<!ENTITY REQUIRED "<bcp14>REQUIRED</bcp14>">
<!ENTITY SHALL "<bcp14>SHALL</bcp14>">
<!ENTITY SHALL-NOT "<bcp14>SHALL NOT</bcp14>">
<!ENTITY SHOULD "<bcp14>SHOULD</bcp14>">
<!ENTITY SHOULD-NOT "<bcp14>SHOULD NOT</bcp14>">
<!ENTITY ID-VERSION "latest">
<!ENTITY mdash "—">
<!ENTITY nbsp " ">
<!ENTITY uuml "ü">
<!ENTITY Note "<x:h xmlns:x='http://purl.org/net/xml2rfc/ext'>Note:</x:h>">
]>
<?rfc compact="yes"?>
<?rfc subcompact="no" ?>
<?rfc linkmailto="no" ?>
<?rfc editing="no" ?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc-ext allow-markup-in-artwork="yes" ?>
<?rfc-ext map-dfn="none" ?>
<?rfc-ext html-pretty-print="prettyprint https://cdn.rawgit.com/google/code-prettify/master/loader/run_prettify.js"?>
<?rfc-ext include-references-in-index="yes" ?>
<?rfc-ext xml2rfc-backend="202007"?>
<rfc obsoletes="7230" category="std" x:maturity-level="internet"
number="9112" seriesNo="99"
ipr="pre5378Trust200902" docName="draft-ietf-httpbis-messaging-&ID-VERSION;"
xmlns:x='http://purl.org/net/xml2rfc/ext'
xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'
version="3" tocDepth="4" sortRefs="true">
<x:feedback template="mailto:[email protected]?subject={docname},%20%22{section}%22&body=<{ref}>:"/>
<front>
<title>HTTP/1.1</title>
<author fullname="Roy T. Fielding" initials="R." surname="Fielding" role="editor">
<organization>Adobe</organization>
<address>
<postal>
<postalLine>345 Park Ave</postalLine>
<postalLine>San Jose, CA 95110</postalLine>
<country>United States of America</country>
</postal>
<uri>https://roy.gbiv.com/</uri>
</address>
</author>
<author fullname="Mark Nottingham" initials="M." surname="Nottingham" role="editor">
<organization>Fastly</organization>
<address>
<postal>
<postalLine>Prahran</postalLine>
<country>Australia</country>
</postal>
<uri>https://www.mnot.net/</uri>
</address>
</author>
<author fullname="Julian Reschke" initials="J." surname="Reschke" role="editor">
<organization abbrev="greenbytes">greenbytes GmbH</organization>
<address>
<postal>
<postalLine>Hafenweg 16</postalLine>
<postalLine>48155 Münster</postalLine>
<country>Germany</country>
</postal>
<uri>https://greenbytes.de/tech/webdav/</uri>
</address>
</author>
<date year="2022" month="June"/>
<area>Applications and Real-Time</area>
<workgroup>HTTP</workgroup>
<keyword>Hypertext Transfer Protocol</keyword>
<keyword>HTTP</keyword>
<keyword>HTTP message format</keyword>
<abstract>
<t>
The Hypertext Transfer Protocol (HTTP) is a stateless application-level
protocol for distributed, collaborative, hypertext information systems.
This document specifies the HTTP/1.1 message syntax, message parsing,
connection management, and related security concerns.
</t>
<t>
This document obsoletes portions of RFC 7230.
</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="introduction">
<t>
The Hypertext Transfer Protocol (HTTP) is a stateless application-level
request/response protocol that uses extensible semantics and
self-descriptive messages for flexible interaction with network-based
hypertext information systems. HTTP/1.1 is defined by:
</t>
<ul>
<li>This document</li>
<li>"HTTP Semantics" <xref target="HTTP"/></li>
<li>"HTTP Caching" <xref target="CACHING"/></li>
</ul>
<t>
This document specifies how HTTP semantics are conveyed using the
HTTP/1.1 message syntax, framing, and connection management mechanisms.
Its goal is to define the complete set of requirements for HTTP/1.1
message parsers and message-forwarding intermediaries.
</t>
<t>
This document obsoletes the portions of
<xref target="RFC7230" format="none">RFC 7230</xref> related to HTTP/1.1
messaging and connection management, with the changes being summarized in
<xref target="changes.from.rfc.7230"/>. The other parts of
<xref target="RFC7230" format="none">RFC 7230</xref> are obsoleted by
"HTTP Semantics" <xref target="HTTP"/>.
</t>
<section title="Requirements Notation" anchor="requirements.notation">
<t>
The key words "&MUST;", "&MUST-NOT;", "&REQUIRED;", "&SHALL;", "&SHALL-NOT;",
"&SHOULD;", "&SHOULD-NOT;", "&RECOMMENDED;", "&NOT-RECOMMENDED;",
"&MAY;", and "&OPTIONAL;" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
</t>
<t>
Conformance criteria and considerations regarding error handling
are defined in <xref target="HTTP" x:rel="#conformance"/>.
</t>
</section>
<section title="Syntax Notation" anchor="notation">
<iref primary="true" item="Grammar" subitem="ALPHA"/>
<iref primary="true" item="Grammar" subitem="CR"/>
<iref primary="true" item="Grammar" subitem="CRLF"/>
<iref primary="true" item="Grammar" subitem="CTL"/>
<iref primary="true" item="Grammar" subitem="DIGIT"/>
<iref primary="true" item="Grammar" subitem="DQUOTE"/>
<iref primary="true" item="Grammar" subitem="HEXDIG"/>
<iref primary="true" item="Grammar" subitem="HTAB"/>
<iref primary="true" item="Grammar" subitem="LF"/>
<iref primary="true" item="Grammar" subitem="OCTET"/>
<iref primary="true" item="Grammar" subitem="SP"/>
<iref primary="true" item="Grammar" subitem="VCHAR"/>
<t>
This specification uses the Augmented Backus-Naur Form (ABNF) notation of
<xref target="RFC5234"/>, extended with the notation for case-sensitivity
in strings defined in <xref target="RFC7405"/>.
</t>
<t>
It also uses a list extension, defined in <xref target="abnf.extension"/>,
that allows for compact definition of comma-separated lists using a "#"
operator (similar to how the "*" operator indicates repetition). <xref
target="collected.abnf"/> shows the collected grammar with all list
operators expanded to standard ABNF notation.
</t>
<t>
As a convention, ABNF rule names prefixed with "obs-" denote
obsolete grammar rules that appear for historical reasons.
</t>
<t anchor="core.rules">
<x:anchor-alias value="ALPHA"/>
<x:anchor-alias value="CR"/>
<x:anchor-alias value="CRLF"/>
<x:anchor-alias value="CTL"/>
<x:anchor-alias value="DIGIT"/>
<x:anchor-alias value="DQUOTE"/>
<x:anchor-alias value="HEXDIG"/>
<x:anchor-alias value="HTAB"/>
<x:anchor-alias value="LF"/>
<x:anchor-alias value="OCTET"/>
<x:anchor-alias value="SP"/>
<x:anchor-alias value="VCHAR"/>
The following core rules are included by
reference, as defined in <xref target="RFC5234" x:fmt="," x:sec="B.1"/>:
ALPHA (letters), CR (carriage return), CRLF (CR LF), CTL (controls),
DIGIT (decimal 0-9), DQUOTE (double quote),
HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF (line feed),
OCTET (any 8-bit sequence of data), SP (space), and
VCHAR (any visible <xref target="USASCII"/> character).
</t>
<t anchor="imported.rules">
<x:anchor-alias value="absolute-path"/>
<x:anchor-alias value="comment"/>
<x:anchor-alias value="field-name"/>
<x:anchor-alias value="field-value"/>
<x:anchor-alias value="obs-text"/>
<x:anchor-alias value="quoted-string"/>
<x:anchor-alias value="token"/>
The rules below are defined in <xref target="HTTP"/>:
</t>
<sourcecode type="abnf7230">
<x:ref>BWS</x:ref> = <BWS, see <xref target="whitespace"/>>
<x:ref>OWS</x:ref> = <OWS, see <xref target="whitespace"/>>
<x:ref>RWS</x:ref> = <RWS, see <xref target="whitespace"/>>
<x:ref>absolute-path</x:ref> = <absolute-path, see <xref target="uri.references"/>>
<x:ref>field-name</x:ref> = <field-name, see <xref target="fields.names"/>>
<x:ref>field-value</x:ref> = <field-value, see <xref target="fields.values"/>>
<x:ref>obs-text</x:ref> = <obs-text, see <xref target="quoted.strings"/>>
<x:ref>quoted-string</x:ref> = <quoted-string, see <xref target="quoted.strings"/>>
<x:ref>token</x:ref> = <token, see <xref target="tokens"/>>
<x:ref>transfer-coding</x:ref> =
<transfer-coding, see <xref target="field.te"/>>
</sourcecode>
<t anchor="imported.uri.rules">
<x:anchor-alias value="absolute-URI"/>
<x:anchor-alias value="authority"/>
<x:anchor-alias value="query"/>
The rules below are defined in <xref target="URI"/>:
</t>
<sourcecode type="abnf7230">
<x:ref>absolute-URI</x:ref> = <absolute-URI, see <xref target="URI" x:fmt="," x:sec="4.3"/>>
<x:ref>authority</x:ref> = <authority, see <xref target="URI" x:fmt="," x:sec="3.2"/>>
<x:ref>uri-host</x:ref> = <host, see <xref target="URI" x:fmt="," x:sec="3.2.2"/>>
<x:ref>port</x:ref> = <port, see <xref target="URI" x:fmt="," x:sec="3.2.3"/>>
<x:ref>query</x:ref> = <query, see <xref target="URI" x:fmt="," x:sec="3.4"/>>
</sourcecode>
</section>
</section>
<section title="Message" anchor="http.message">
<t>
HTTP/1.1 clients and servers communicate by sending messages.
See <xref target="HTTP" x:fmt="of" x:rel="#terminology"/> for
the general terminology and core concepts of HTTP.
</t>
<section title="Message Format" anchor="message.format">
<x:anchor-alias value="generic-message"/>
<x:anchor-alias value="message.types"/>
<x:anchor-alias value="HTTP-message"/>
<x:anchor-alias value="start-line"/>
<iref item="header section"/>
<iref item="headers"/>
<iref item="header line"/>
<t>
An HTTP/1.1 message consists of a start-line followed by a CRLF and a
sequence of
octets in a format similar to the Internet Message Format
<xref target="RFC5322"/>: zero or more header field lines (collectively
referred to as the "headers" or the "header section"), an empty line
indicating the end of the header section, and an optional message body.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="HTTP-message"><!--terminal production--></iref>
<x:ref>HTTP-message</x:ref> = <x:ref>start-line</x:ref> <x:ref>CRLF</x:ref>
*( <x:ref>field-line</x:ref> <x:ref>CRLF</x:ref> )
<x:ref>CRLF</x:ref>
[ <x:ref>message-body</x:ref> ]
</sourcecode>
<t>
A message can be either a request from client to server or a
response from server to client. Syntactically, the two types of messages
differ only in the start-line, which is either a request-line (for requests)
or a status-line (for responses), and in the algorithm for determining
the length of the message body (<xref target="message.body"/>).
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="start-line"/>
<x:ref>start-line</x:ref> = <x:ref>request-line</x:ref> / <x:ref>status-line</x:ref>
</sourcecode>
<t>
In theory, a client could receive requests and a server could receive
responses, distinguishing them by their different start-line formats.
In practice, servers are implemented to only expect a request
(a response is interpreted as an unknown or invalid request method),
and clients are implemented to only expect a response.
</t>
<t>
HTTP makes use of some protocol elements similar to the
Multipurpose Internet Mail Extensions (MIME) <xref target="RFC2045"/>.
See <xref target="differences.between.http.and.mime"/> for the
differences between HTTP and MIME messages.
</t>
</section>
<section title="Message Parsing" anchor="message.parsing">
<t>
The normal procedure for parsing an HTTP message is to read the
start-line into a structure, read each header field line into a hash
table by field name until the empty line, and then use the parsed
data to determine if a message body is expected. If a message body
has been indicated, then it is read as a stream until an amount
of octets equal to the message body length is read or the connection
is closed.
</t>
<t>
A recipient &MUST; parse an HTTP message as a sequence of octets in an
encoding that is a superset of US-ASCII <xref target="USASCII"/>.
Parsing an HTTP message as a stream of Unicode characters, without regard
for the specific encoding, creates security vulnerabilities due to the
varying ways that string processing libraries handle invalid multibyte
character sequences that contain the octet LF (%x0A). String-based
parsers can only be safely used within protocol elements after the element
has been extracted from the message, such as within a header field line value
after message parsing has delineated the individual field lines.
</t>
<t>
Although the line terminator for the start-line and
fields is the sequence CRLF, a recipient &MAY; recognize a
single LF as a line terminator and ignore any preceding CR.
</t>
<t>
A sender &MUST-NOT; generate a bare CR (a CR character not immediately
followed by LF) within any protocol elements other than the content.
A recipient of such a bare CR &MUST; consider that element to be invalid or
replace each bare CR with SP before processing the element or forwarding
the message.
</t>
<t>
Older HTTP/1.0 user agent implementations might send an extra CRLF
after a POST request as a workaround for some early server
applications that failed to read message body content that was
not terminated by a line-ending. An HTTP/1.1 user agent &MUST-NOT;
preface or follow a request with an extra CRLF. If terminating
the request message body with a line-ending is desired, then the
user agent &MUST; count the terminating CRLF octets as part of the
message body length.
</t>
<t>
In the interest of robustness, a server that is expecting to receive and
parse a request-line &SHOULD; ignore at least one empty line (CRLF)
received prior to the request-line.
</t>
<t>
A sender &MUST-NOT; send whitespace between the start-line and
the first header field.
</t>
<t>
A recipient that receives whitespace between the start-line and
the first header field &MUST; either reject the message as invalid or
consume each whitespace-preceded line without further processing of it
(i.e., ignore the entire line, along with any subsequent lines preceded
by whitespace, until a properly formed header field is received or the
header section is terminated).
Rejection or removal of invalid whitespace-preceded lines is necessary
to prevent their misinterpretation by downstream recipients that might
be vulnerable to request smuggling (<xref target="request.smuggling"/>)
or response splitting (<xref target="response.splitting"/>) attacks.
</t>
<t>
When a server listening only for HTTP request messages, or processing
what appears from the start-line to be an HTTP request message,
receives a sequence of octets that does not match the HTTP-message
grammar aside from the robustness exceptions listed above, the
server &SHOULD; respond with a <x:ref>400 (Bad Request)</x:ref> response
and close the connection.
</t>
</section>
<section title="HTTP Version" anchor="http.version">
<x:anchor-alias value="HTTP-version"/>
<x:anchor-alias value="HTTP-name"/>
<t>
HTTP uses a "<major>.<minor>" numbering scheme to indicate
versions of the protocol. This specification defines version "1.1".
<xref target="protocol.version"/> specifies the semantics of HTTP version
numbers.
</t>
<t>
The version of an HTTP/1.x message is indicated by an HTTP-version field
in the <x:ref>start-line</x:ref>. HTTP-version is case-sensitive.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="HTTP-version"/><iref primary="true" item="Grammar" subitem="HTTP-name"/>
<x:ref>HTTP-version</x:ref> = <x:ref>HTTP-name</x:ref> "/" <x:ref>DIGIT</x:ref> "." <x:ref>DIGIT</x:ref>
<x:ref>HTTP-name</x:ref> = %s"HTTP"
</sourcecode>
<t>
When an HTTP/1.1 message is sent to an HTTP/1.0 recipient
<xref target="HTTP10"/> or a recipient whose version is unknown,
the HTTP/1.1 message is constructed such that it can be interpreted
as a valid HTTP/1.0 message if all of the newer features are ignored.
This specification places recipient-version requirements on some
new features so that a conformant sender will only use compatible
features until it has determined, through configuration or the
receipt of a message, that the recipient supports HTTP/1.1.
</t>
<t>
Intermediaries that process HTTP messages (i.e., all intermediaries
other than those acting as tunnels) &MUST; send their own HTTP-version
in forwarded messages, unless it is purposefully downgraded as a workaround
for an upstream issue. In other words, an intermediary is not allowed to blindly
forward the <x:ref>start-line</x:ref> without ensuring that the
protocol version in that message matches a version to which that
intermediary is conformant for both the receiving and
sending of messages. Forwarding an HTTP message without rewriting
the HTTP-version might result in communication errors when downstream
recipients use the message sender's version to determine what features
are safe to use for later communication with that sender.
</t>
<t>
A server &MAY; send an HTTP/1.0 response to an HTTP/1.1 request
if it is known or suspected that the client incorrectly implements the
HTTP specification and is incapable of correctly processing later
version responses, such as when a client fails to parse the version
number correctly or when an intermediary is known to blindly forward
the HTTP-version even when it doesn't conform to the given minor
version of the protocol. Such protocol downgrades &SHOULD-NOT; be
performed unless triggered by specific client attributes, such as when
one or more of the request header fields (e.g., <x:ref>User-Agent</x:ref>)
uniquely match the values sent by a client known to be in error.
</t>
</section>
</section>
<section title="Request Line" anchor="request.line">
<x:anchor-alias value="Request"/>
<x:anchor-alias value="request-line"/>
<t>
A request-line begins with a method token, followed by a single
space (SP), the request-target, and another single space (SP), and ends
with the protocol version.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="request-line"/>
<x:ref>request-line</x:ref> = <x:ref>method</x:ref> <x:ref>SP</x:ref> <x:ref>request-target</x:ref> <x:ref>SP</x:ref> <x:ref>HTTP-version</x:ref>
</sourcecode>
<t>
Although the request-line grammar rule requires that each of the component
elements be separated by a single SP octet, recipients &MAY; instead parse
on whitespace-delimited word boundaries and, aside from the CRLF
terminator, treat any form of whitespace as the SP separator while
ignoring preceding or trailing whitespace; such whitespace includes one or
more of the following octets: SP, HTAB, VT (%x0B), FF (%x0C), or bare CR.
However, lenient parsing can result in request smuggling security
vulnerabilities if there are multiple recipients of the message and each
has its own unique interpretation of robustness
(see <xref target="request.smuggling"/>).
</t>
<t>
HTTP does not place a predefined limit on the length of a request-line,
as described in <xref target="HTTP" x:rel="#length.requirements"/>.
A server that receives a method longer than any that it implements
&SHOULD; respond with a <x:ref>501 (Not Implemented)</x:ref> status code.
A server that receives a request-target longer than any URI it wishes to
parse &MUST; respond with a
<x:ref>414 (URI Too Long)</x:ref> status code (see <xref target="status.414"/>).
</t>
<t>
Various ad hoc limitations on request-line length are found in practice.
It is &RECOMMENDED; that all HTTP senders and recipients support, at a
minimum, request-line lengths of 8000 octets.
</t>
<section title="Method" anchor="request.method">
<iref primary="true" item="method"/>
<x:anchor-alias value="method"/>
<t>
The method token indicates the request method to be performed on the
target resource. The request method is case-sensitive.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="method"/>
<x:ref>method</x:ref> = <x:ref>token</x:ref>
</sourcecode>
<t>
The request methods defined by this specification can be found in
<xref target="methods"/>, along with information regarding the HTTP method
registry and considerations for defining new methods.
</t>
</section>
<section title="Request Target" anchor="request.target">
<iref primary="true" item="request-target"/>
<x:anchor-alias value="request-target"/>
<t>
The request-target identifies the target resource upon which to apply the
request. The client derives a request-target from its desired target URI.
There are four distinct formats for the request-target, depending on both
the method being requested and whether the request is to a proxy.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="request-target"/><iref primary="false" item="Grammar" subitem="origin-form"/><iref primary="false" item="Grammar" subitem="absolute-form"/><iref primary="false" item="Grammar" subitem="authority-form"/><iref primary="false" item="Grammar" subitem="asterisk-form"/>
<x:ref>request-target</x:ref> = <x:ref>origin-form</x:ref>
/ <x:ref>absolute-form</x:ref>
/ <x:ref>authority-form</x:ref>
/ <x:ref>asterisk-form</x:ref>
</sourcecode>
<t>
No whitespace is allowed in the request-target.
Unfortunately, some user agents fail to properly encode or exclude
whitespace found in hypertext references, resulting in those disallowed
characters being sent as the request-target in a malformed request-line.
</t>
<t>
Recipients of an invalid request-line &SHOULD; respond with either a
<x:ref>400 (Bad Request)</x:ref> error or a <x:ref>301 (Moved Permanently)</x:ref>
redirect with the request-target properly encoded. A recipient &SHOULD-NOT;
attempt to autocorrect and then process the request without a redirect,
since the invalid request-line might be deliberately crafted to bypass
security filters along the request chain.
</t>
<t>
A client &MUST; send a <x:ref>Host</x:ref> header field (<xref target="field.host"/>)
in all HTTP/1.1 request messages.
If the target URI includes an authority component, then a client &MUST;
send a field value for Host that is identical to that authority
component, excluding any userinfo subcomponent and its "@" delimiter
(<xref target="uri.schemes"/>).
If the authority component is missing or undefined for the target URI,
then a client &MUST; send a Host header field with an empty field value.
</t>
<t>
A server &MUST; respond with a <x:ref>400 (Bad Request)</x:ref> status code
to any HTTP/1.1 request message that lacks a Host header field and
to any request message that contains more than one Host header field line
or a Host header field with an invalid field value.
</t>
<section title="origin-form" anchor="origin-form">
<iref item="origin-form (of request-target)"/>
<t>
The most common form of request-target is the <x:dfn>origin-form</x:dfn>.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="origin-form"/>
<x:ref>origin-form</x:ref> = <x:ref>absolute-path</x:ref> [ "?" <x:ref>query</x:ref> ]
</sourcecode>
<t>
When making a request directly to an origin server, other than a CONNECT
or server-wide OPTIONS request (as detailed below),
a client &MUST; send only the absolute path and query components of
the target URI as the request-target.
If the target URI's path component is empty, the client &MUST; send
"/" as the path within the origin-form of request-target.
A <x:ref>Host</x:ref> header field is also sent, as defined in
<xref target="field.host"/>.
</t>
<t>
For example, a client wishing to retrieve a representation of the resource
identified as
</t>
<artwork x:indent-with=" " type="example">
http://www.example.org/where?q=now
</artwork>
<t>
directly from the origin server would open (or reuse) a TCP connection
to port 80 of the host "www.example.org" and send the lines:
</t>
<sourcecode type="http-message">
GET /where?q=now HTTP/1.1
Host: www.example.org
</sourcecode>
<t>
followed by the remainder of the request message.
</t>
</section>
<section title="absolute-form" anchor="absolute-form">
<iref item="absolute-form (of request-target)"/>
<t>
When making a request to a proxy, other than a CONNECT or server-wide
OPTIONS request (as detailed below), a client &MUST; send the target URI
in <x:dfn>absolute-form</x:dfn> as the request-target.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="absolute-form"/>
<x:ref>absolute-form</x:ref> = <x:ref>absolute-URI</x:ref>
</sourcecode>
<t>
The proxy is requested to either service that request from a valid cache,
if possible, or make the same request on the client's behalf either to
the next inbound proxy server or directly to the origin server indicated
by the request-target. Requirements on such "forwarding" of messages are
defined in <xref target="message.forwarding"/>.
</t>
<t>
An example absolute-form of request-line would be:
</t>
<sourcecode type="http-message">
GET http://www.example.org/pub/WWW/TheProject.html HTTP/1.1
</sourcecode>
<t>
A client &MUST; send a Host header field in an HTTP/1.1 request even
if the request-target is in the absolute-form, since this
allows the Host information to be forwarded through ancient HTTP/1.0
proxies that might not have implemented Host.
</t>
<t>
When a proxy receives a request with an absolute-form of
request-target, the proxy &MUST; ignore the received
Host header field (if any) and instead replace it with the host
information of the request-target. A proxy that forwards such a request
&MUST; generate a new Host field value based on the received
request-target rather than forward the received Host field value.
</t>
<t>
When an origin server receives a request with an absolute-form of
request-target, the origin server &MUST; ignore the received Host header
field (if any) and instead use the host information of the request-target.
Note that if the request-target does not have an authority component, an
empty Host header field will be sent in this case.
</t>
<t>
A server &MUST; accept the absolute-form in requests even though most
HTTP/1.1 clients will only send the absolute-form to a proxy.
</t>
</section>
<section title="authority-form" anchor="authority-form">
<iref item="authority-form (of request-target)"/>
<t>
The <x:dfn>authority-form</x:dfn> of request-target is only used for
CONNECT requests (<xref target="CONNECT"/>). It consists of only the
<x:ref>uri-host</x:ref> and <x:ref>port</x:ref> number of the tunnel
destination, separated by a colon (":").
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="authority-form"/>
<x:ref>authority-form</x:ref> = <x:ref>uri-host</x:ref> ":" <x:ref>port</x:ref>
</sourcecode>
<t>
When making a CONNECT request to establish a tunnel through one or more
proxies, a client &MUST; send only the host and port of the tunnel
destination as the request-target. The client obtains the host and port
from the target URI's <x:ref>authority</x:ref> component, except that it
sends the scheme's default port if the target URI elides the port.
For example, a CONNECT request to "http://www.example.com" looks like the
following:
</t>
<sourcecode type="http-message">
CONNECT www.example.com:80 HTTP/1.1
Host: www.example.com
</sourcecode>
</section>
<section title="asterisk-form" anchor="asterisk-form">
<iref item="asterisk-form (of request-target)"/>
<t>
The <x:dfn>asterisk-form</x:dfn> of request-target is only used for a server-wide
OPTIONS request (<xref target="OPTIONS"/>).
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="asterisk-form"/>
<x:ref>asterisk-form</x:ref> = "*"
</sourcecode>
<t>
When a client wishes to request OPTIONS
for the server as a whole, as opposed to a specific named resource of
that server, the client &MUST; send only "*" (%x2A) as the request-target.
For example,
</t>
<sourcecode type="http-message">
OPTIONS * HTTP/1.1
</sourcecode>
<t>
If a proxy receives an OPTIONS request with an absolute-form of
request-target in which the URI has an empty path and no query component,
then the last proxy on the request chain &MUST; send a request-target
of "*" when it forwards the request to the indicated origin server.
</t>
<t>
For example, the request
</t>
<sourcecode type="http-message">
OPTIONS http://www.example.org:8001 HTTP/1.1
</sourcecode>
<t>
would be forwarded by the final proxy as
</t>
<sourcecode type="http-message">
OPTIONS * HTTP/1.1
Host: www.example.org:8001
</sourcecode>
<t>
after connecting to port 8001 of host "www.example.org".
</t>
</section>
</section>
<section title="Reconstructing the Target URI" anchor="reconstructing.target.uri">
<x:anchor-alias value="h1.effective.request.uri"/>
<t>
The target URI is the <x:ref>request-target</x:ref> when the
request-target is in <x:ref>absolute-form</x:ref>. In that case,
a server will parse the URI into its generic components for further
evaluation.
</t>
<t>
Otherwise, the server reconstructs the target URI from the connection
context and various parts of the request message in order to identify the
target resource (<xref target="target.resource"/>):
</t>
<ul>
<li>
If the server's configuration provides for a fixed URI scheme, or a scheme
is provided by a trusted outbound gateway, that scheme is used for the
target URI. This is common in large-scale deployments because a gateway
server will receive the client's connection context and replace that with
their own connection to the inbound server.
Otherwise, if the request is received over a secured connection,
the target URI's scheme is "https"; if not, the scheme is "http".
</li>
<li>
If the request-target is in <x:ref>authority-form</x:ref>,
the target URI's authority component is the request-target.
Otherwise, the target URI's authority component is the field value of the
<x:ref>Host</x:ref> header field. If there is no <x:ref>Host</x:ref>
header field or if its field value is empty or invalid,
the target URI's authority component is empty.
</li>
<li>
If the request-target is in <x:ref>authority-form</x:ref> or
<x:ref>asterisk-form</x:ref>, the target URI's combined
<x:ref>path</x:ref> and <x:ref>query</x:ref> component is empty.
Otherwise, the target URI's combined <x:ref>path</x:ref> and
<x:ref>query</x:ref> component is the request-target.
</li>
<li>
The components of a reconstructed target URI, once determined as above,
can be recombined into <x:ref>absolute-URI</x:ref> form by concatenating
the scheme, "://", authority, and combined path and query component.
</li>
</ul>
<t>
Example 1: The following message received over a secure connection
</t>
<sourcecode type="http-message">
GET /pub/WWW/TheProject.html HTTP/1.1
Host: www.example.org
</sourcecode>
<t>
has a target URI of
</t>
<artwork type="example" x:indent-with=" ">
https://www.example.org/pub/WWW/TheProject.html
</artwork>
<t>
Example 2: The following message received over an insecure connection
</t>
<sourcecode type="http-message">
OPTIONS * HTTP/1.1
Host: www.example.org:8080
</sourcecode>
<t>
has a target URI of
</t>
<artwork type="example" x:indent-with=" ">
http://www.example.org:8080
</artwork>
<t>
If the target URI's authority component is empty and its URI scheme
requires a non-empty authority (as is the case for "http" and "https"),
the server can reject the request or determine whether a configured
default applies that is consistent with the incoming connection's context.
Context might include connection details like address and port, what
security has been applied, and locally defined information specific to
that server's configuration. An empty authority is replaced with the
configured default before further processing of the request.
</t>
<t>
Supplying a default name for authority within the context of a secured
connection is inherently unsafe if there is any chance that the user
agent's intended authority might differ from the default.
A server that can uniquely identify an authority from the request
context &MAY; use that identity as a default without this risk.
Alternatively, it might be better to redirect the request to a safe
resource that explains how to obtain a new client.
</t>
<t>
Note that reconstructing the client's target URI is only half of the
process for identifying a target resource. The other half is determining
whether that target URI identifies a resource for which the server is
willing and able to send a response, as defined in
<xref target="routing.reject"/>.
</t>
</section>
</section>
<section title="Status Line" anchor="status.line">
<x:anchor-alias value="response"/>
<x:anchor-alias value="status-line"/>
<x:anchor-alias value="status-code"/>
<x:anchor-alias value="status code"/>
<x:anchor-alias value="reason-phrase"/>
<t>
The first line of a response message is the status-line, consisting
of the protocol version, a space (SP), the status code, and another space
and ending with an &OPTIONAL; textual phrase describing the status code.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="status-line"/>
<x:ref>status-line</x:ref> = <x:ref>HTTP-version</x:ref> <x:ref>SP</x:ref> <x:ref>status-code</x:ref> <x:ref>SP</x:ref> [ <x:ref>reason-phrase</x:ref> ]
</sourcecode>
<t>
Although the status-line grammar rule requires that each of the component
elements be separated by a single SP octet, recipients &MAY; instead parse
on whitespace-delimited word boundaries and, aside from the line
terminator, treat any form of whitespace as the SP separator while
ignoring preceding or trailing whitespace; such whitespace includes one or
more of the following octets: SP, HTAB, VT (%x0B), FF (%x0C), or bare CR.
However, lenient parsing can result in response splitting security
vulnerabilities if there are multiple recipients of the message and each
has its own unique interpretation of robustness
(see <xref target="response.splitting"/>).
</t>
<t>
The status-code element is a 3-digit integer code describing the
result of the server's attempt to understand and satisfy the client's
corresponding request. A recipient parses and interprets the remainder
of the response message in light of the semantics defined for that
status code, if the status code is recognized by that recipient,
or in accordance with the class of that status code when the specific
code is unrecognized.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="status-code"/>
<x:ref>status-code</x:ref> = 3<x:ref>DIGIT</x:ref>
</sourcecode>
<t>
HTTP's core status codes are defined in <xref target="status.codes"/>,
along with the classes of status codes, considerations for the
definition of new status codes, and the IANA registry for collecting
such definitions.
</t>
<t>
The reason-phrase element exists for the sole purpose of providing a
textual description associated with the numeric status code, mostly out of
deference to earlier Internet application protocols that were more
frequently used with interactive text clients.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="reason-phrase"/>
<x:ref>reason-phrase</x:ref> = 1*( <x:ref>HTAB</x:ref> / <x:ref>SP</x:ref> / <x:ref>VCHAR</x:ref> / <x:ref>obs-text</x:ref> )
</sourcecode>
<t>
A client &SHOULD; ignore the reason-phrase content because it is not a
reliable channel for information (it might be translated for a given locale,
overwritten by intermediaries, or discarded when the message is forwarded
via other versions of HTTP).
A server &MUST; send the space that separates the status-code from the
reason-phrase even when the reason-phrase is absent (i.e., the status-line
would end with the space).
</t>
</section>
<section title="Field Syntax" anchor="header.field.syntax">
<x:anchor-alias value="field-line"/>
<t>
Each field line consists of a case-insensitive field name
followed by a colon (":"), optional leading whitespace, the field line value,
and optional trailing whitespace.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="field-line"/><iref primary="false" item="Grammar" subitem="field-name"/><iref primary="false" item="Grammar" subitem="field-value"/>
<x:ref>field-line</x:ref> = <x:ref>field-name</x:ref> ":" <x:ref>OWS</x:ref> <x:ref>field-value</x:ref> <x:ref>OWS</x:ref>
</sourcecode>
<t>
Rules for parsing within field values are
defined in <xref target="fields.values"/>. This section covers the
generic syntax for header field inclusion within, and extraction from,
HTTP/1.1 messages.
</t>
<section title="Field Line Parsing" anchor="field.parsing">
<x:anchor-alias value="header.parsing"/>
<t>
Messages are parsed using a generic algorithm, independent of the
individual field names. The contents within a given field line value are
not parsed until a later stage of message interpretation (usually after the
message's entire field section has been processed).
</t>
<t>
No whitespace is allowed between the field name and colon.
In the past, differences in the handling of such whitespace have led to
security vulnerabilities in request routing and response handling.
A server &MUST; reject, with a response status code of
<x:ref>400 (Bad Request)</x:ref>, any received request message that contains
whitespace between a header field name and colon.
A proxy &MUST; remove any such whitespace
from a response message before forwarding the message downstream.
</t>
<t>
A field line value might be preceded and/or followed by optional whitespace
(OWS); a single SP preceding the field line value is preferred for consistent
readability by humans.
The field line value does not include that leading or trailing whitespace: OWS
occurring before the first non-whitespace octet of the field line value,
or after the last non-whitespace octet of the field line value, is excluded by
parsers when extracting the field line value from a field line.
</t>
</section>
<section title="Obsolete Line Folding" anchor="line.folding">
<x:anchor-alias value="obs-fold"/>
<t>
Historically, HTTP/1.x field values could be extended over multiple
lines by preceding each extra line with at least one space or horizontal
tab (obs-fold). This specification deprecates such line folding except
within the "message/http" media type
(<xref target="media.type.message.http"/>).
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="obs-fold"/>
<x:ref>obs-fold</x:ref> = <x:ref>OWS</x:ref> <x:ref>CRLF</x:ref> <x:ref>RWS</x:ref>
; obsolete line folding
</sourcecode>
<t>
A sender &MUST-NOT; generate a message that includes line folding
(i.e., that has any field line value that contains a match to the
<x:ref>obs-fold</x:ref> rule) unless the message is intended for packaging
within the "message/http" media type.
</t>
<t>
A server that receives an <x:ref>obs-fold</x:ref> in a request message that
is not within a "message/http" container &MUST; either reject the message by
sending a <x:ref>400 (Bad Request)</x:ref>, preferably with a
representation explaining that obsolete line folding is unacceptable, or
replace each received <x:ref>obs-fold</x:ref> with one or more
<x:ref>SP</x:ref> octets prior to interpreting the field value or
forwarding the message downstream.
</t>
<t>
A proxy or gateway that receives an <x:ref>obs-fold</x:ref> in a response
message that is not within a "message/http" container &MUST; either discard
the message and replace it with a <x:ref>502 (Bad Gateway)</x:ref>
response, preferably with a representation explaining that unacceptable
line folding was received, or replace each received <x:ref>obs-fold</x:ref>
with one or more <x:ref>SP</x:ref> octets prior to interpreting the field
value or forwarding the message downstream.
</t>
<t>
A user agent that receives an <x:ref>obs-fold</x:ref> in a response message
that is not within a "message/http" container &MUST; replace each received
<x:ref>obs-fold</x:ref> with one or more <x:ref>SP</x:ref> octets prior to
interpreting the field value.
</t>
</section>
</section>
<section title="Message Body" anchor="message.body">
<x:anchor-alias value="message-body"/>
<t>
The message body (if any) of an HTTP/1.1 message is used to carry content
(<xref target="content"/>) for the request or response. The
message body is identical to the content unless a transfer coding has
been applied, as described in <xref target="field.transfer-encoding"/>.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="message-body"/>
<x:ref>message-body</x:ref> = *OCTET
</sourcecode>
<t>
The rules for determining when a message body is present in an HTTP/1.1
message differ for requests and responses.
</t>
<t>
The presence of a message body in a request is signaled by a
<x:ref>Content-Length</x:ref> or <x:ref>Transfer-Encoding</x:ref> header
field. Request message framing is independent of method semantics.
</t>
<t>
The presence of a message body in a response, as detailed in
<xref target="message.body.length"/>, depends on both the request
method to which it is responding and the response status code. This
corresponds to when response content is allowed by HTTP semantics
(<xref target="content.semantics"/>).
</t>
<section title="Transfer-Encoding" anchor="field.transfer-encoding">
<x:anchor-alias value="header.transfer-encoding"/>
<iref primary="true" item="Fields" subitem="Transfer-Encoding" x:for-anchor=""/><iref primary="true" item="Header Fields" subitem="Transfer-Encoding" x:for-anchor=""/><iref primary="true" item="Transfer-Encoding header field" x:for-anchor=""/>
<iref item="chunked (Coding Format)"/>
<x:anchor-alias value="Transfer-Encoding"/>
<t>
The Transfer-Encoding header field lists the transfer coding names
corresponding to the sequence of transfer codings that have been
(or will be) applied to the content in order to form the message body.
Transfer codings are defined in <xref target="transfer.codings"/>.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="Transfer-Encoding"/>
<x:ref>Transfer-Encoding</x:ref> = #<x:ref>transfer-coding</x:ref>
; defined in <xref target="field.te"/>
</sourcecode>
<t>
Transfer-Encoding is analogous to the Content-Transfer-Encoding field of
MIME, which was designed to enable safe transport of binary data over a
7-bit transport service (<xref target="RFC2045" x:fmt="," x:sec="6"/>).
However, safe transport has a different focus for an 8bit-clean transfer
protocol. In HTTP's case, Transfer-Encoding is primarily intended to
accurately delimit dynamically generated content. It also serves to
distinguish encodings that are only applied in transit from the encodings
that are a characteristic of the selected representation.
</t>
<t>
A recipient &MUST; be able to parse the chunked transfer coding
(<xref target="chunked.encoding"/>) because it plays a crucial role in
framing messages when the content size is not known in advance.
A sender &MUST-NOT; apply the chunked transfer coding more than once to a
message body (i.e., chunking an already chunked message is not allowed).
If any transfer coding other than chunked is applied to a request's content,
the sender &MUST; apply chunked as the final transfer coding to
ensure that the message is properly framed.
If any transfer coding other than chunked is applied to a response's content,
the sender &MUST; either apply chunked as the final transfer coding
or terminate the message by closing the connection.
</t>
<t>
For example,
</t>
<sourcecode type="http-message">