HTTP/1.1 just got a major update.
The IETF just published several new RFCs that update HTTP/1.1:
- RFC 7230: Message Syntax and Routing
- RFC 7231: Semantics and Content
- RFC 7232: Conditional Requests
- RFC 7233: Range Request
- RFC 7234: Caching
- RFC 7235: Authentication
- RFC 7236: Authentication Scheme Registrations
- RFC 7237: Method Registrations
- RFC 7238: the 308 status code
- RFC 7239: Forwarded HTTP extension
These documents make the original specification for HTTP/1.1 obsolete. As a HTTP geek, this is a big deal.
RFC 2616, which was written more than 15 years ago, was the specification everybody has implemented, and I suspect many of you occassionally have used as a reference.
Since then, the HTTPBis group has worked from what I can tell, at least 7 years on updating these specs. You can imagine that for a protocol as widespread as HTTP, there will be many stakeholders and opinions to satisfy.
HTTP/2.0, which is still under development, will also reference these rfcs and essentially just link to them, as opposed to re-define all the definitions from scratch.
I’ve been using the drafts of these new standards documents for years, as it did not take long for them to be much references than the original.
The biggest difference compared to the old spec, is that there is simply a lot more text. A lot of things are easier to understand and read, and parts where there were ambiguity has been resolved.
Just for those reasons alone it may make a lot of sense for API authors to read the specs from end-to-end. Guarenteed you’ll learn and get inspired into doing better HTTP api design.
308 status code is now standard, which provides a 4th
308 is a permanent redirect. Clients that receive a
are expected to follow the redirect and execute the exact same request again.
This, as opposed to the
301, where clients usually change the method into
RFC 7239 standardizes a
Forwarded header, which is supposed to replace
headers such as
A far from complete list of interesting things that have changed.
- Clarifications around dealing with unexpected whitespace, which should fix response splitting vulnerabilities.
- The limit of two connections per server has been removed.
- HTTP/0.9 support has been dropped.
- Default charset of ISO-8859-1 has been removed.
- Servers are no longer required to handle all
Content-Rangehas been explicitly banned in PUT requests.
- It’s now suggested to use the
about:blankuri in the
Refererheader when no referer exists, to distinguish between “there was no referrer” and “I don’t want to send a referrer”.
501status codes are now cachable.
- The status codes
302have been changed to allow user agents to rewrite the method from
GET. This is a good example of a case where everybody has been (incorrectly) already doing this, and the spec now reflects the real world implementation.
Locationheader can now contain relative uri’s as well as fragment identifiers.
Content-MD5has been removed.
Anything else I missed?