Hypertext Transfer Protocol (HTTP) is a method used to transfer or convey information on the World Wide Web. It is a patented open internet protocol whose original purpose was to provide a way to publish and receive HTML pages.
Development of HTTP was coordinated by the World Wide Web Consortium and working groups of the Internet Engineering Task Force, culminating in the publication of a series of RFCs, most notably RFC 2616, which defines HTTP/1.1, the version of HTTP in common use today.
HTTP is a request/response protocol between clients and servers. The originating client, such as a web browser, spider, or other end-user tool, is referred to as the user agent. The destination server, which stores or creates resources such as HTML files and images, is called the origin server. In between the user agent and origin server may be several intermediaries, such as proxies, gateways, and tunnels.
An HTTP client initiates a request by establishing a Transmission Control Protocol (TCP) connection to a particular port on a remote host (port 80 by default; see List of TCP and UDP port numbers). An HTTP server listening on that port waits for the client to send a request message.
Upon receiving the request, the server sends back a status line, such as "HTTP/1.1 200 OK", and a message of its own, the body of which is perhaps the requested file, an error message, or some other information.
Resources to be accessed by HTTP are identified using Uniform Resource Identifiers (URIs) (or, more specifically, URLs) using the http: or https URI schemes.
Request message
The request message consists of the following:
Request line, such as GET /images/logo.gif HTTP/1.1, which requests the file logo.gif from the /images directory
Headers, such as Accept-Language: en
An empty line
An optional message body
The request line and headers must all end with CRLF (i.e. a carriage return followed by a line feed). The empty line must consist of only CRLF and no other whitespace.
Some headers are optional, while some others (such as Host) are required by the HTTP/1.1 protocol.
Request methods
HTTP defines eight methods (sometimes referred to as "verbs") indicating the desired action to be performed on the identified resource.
HEAD
Asks for the response identical to the one that would correspond to a GET request, but without the response body. This is useful for retrieving meta-information written in response headers, without having to transport the entire content.
GET
Requests a representation of the specified resource. By far the most common method used on the Web today.
POST
Submits user data (e.g. from a HTML form) to the identified resource. The data is included in the body of the request.
PUT
Uploads a representation of the specified resource.
DELETE
Deletes the specified resource (rarely implemented).
TRACE
Echoes back the received request, so that a client can see what intermediate servers are adding or changing in the request.
OPTIONS
Returns the HTTP methods that the server supports. This can be used to check the functionality of a web server.
CONNECT
For use with a proxy that can change to being an SSL tunnel.
HTTP servers are supposed to implement at least GET and HEAD methods and, whenever possible, also OPTIONS method.
Safe methods
Methods GET and HEAD are defined as safe, i.e. intended only for information retrieval and not changing the state of the server (called the side-effect of the request). Unsafe methods (such as POST, PUT and DELETE) should be displayed to the user in a special way, normally as buttons rather than links, thus making the user aware of possible obligations (e.g. financial transaction).
Despite the required safety of GET requests, in practice they can cause changes on the server. For example, an HTML page may use a simple hyperlink to initiate deletion of a domain database record, thus causing a change of the server's state as a side-effect of a GET request. This behavior is architecturally discouraged (such actions should be designed using a POST request) but is fairly common on the Web. Such behavior can cause problems because various schemes for caching web pages, such as search engines, which by design GET pages before a user initiates a request, can cause unintentional changes on a server. According to the specification, if the server makes such transactions after a safe request, the client-side software cannot be held accountable for them.
Idempotent methods
Methods GET, HEAD, PUT and DELETE are defined to be idempotent, meaning that multiple identical requests should have the same effect as a single request. Methods OPTIONS and TRACE, being safe, are inherently idempotent.
HTTP versions
HTTP has evolved into multiple, mostly backwards-compatible protocol versions. RFC 2145 describes the use of HTTP version numbers. Basically, the client tells in the beginning of the request the version it uses, and the server uses the same or earlier version in the response.
0.9
Deprecated. Only supports one command, GET — which does not specify the HTTP version. Does not support headers. Since this version does not support POST, the client can't pass much information to the server.
HTTP/1.0
This is the first protocol revision to specify its version in communications and is still in wide use, especially by proxy servers. Allows persistent connections (alias keep-alive connections, more than one request-response per TCP/IP connection) when explicitly negotiated; however, this only works well when not using proxy servers.
HTTP/1.1
Current version; persistent connections enabled by default and works well with proxies. Also supports request pipelining, allowing multiple requests to be sent at the same time, allowing the server to prepare for the workload and potentially transfer the requested resources more quickly to the client.
HTTP/1.2
The initial 1995 working drafts of PEP — an Extension Mechanism for HTTP prepared by W3C and submitted to IETF were aiming to become a distinguishing feature of HTTP/1.2. In later PEP working drafts however the reference to HTTP/1.2 was removed. PEP later became subsumed by the experimental RFC 2774 — HTTP Extension Framework.
Status codes
See also: List of HTTP status codes
In HTTP/1.0 and since, the first line of the HTTP response is called the status line and includes a numeric status code (such as "200") and a textual reason phrase (such as "OK"). The way the user agent handles the response primarily depends on the code and secondarily on the response headers. Custom status codes can be used since if the user agent encounters a code it does not recognize, it can use the first digit of the code to determine the general class of the response. [1]
Also, the standard reason phrases are only recommendations and can be replaced with "local equivalents" at the web developer's discretion. If the status code indicated a problem, the user agent might display the reason phrase to the user to provide further information about the nature of the problem. The standard also allows the user agent to attempt to interpret the reason phrase, though this might be unwise since the standard explicitly specifies that status codes are machine-readable and reason phrases are human-readable.
HTTP connection persistence
In HTTP/0.9 and HTTP/1.0, a client sends a request to the server, the server sends a response back to the client. After this, the connection is closed. HTTP/1.1, however, supports persistent connections. This enables the client to send a request and get a response, and then send additional requests and get additional responses. The TCP connection is not released for the multiple additional requests, so the relative overhead due to TCP is much less per request. The use of persistent connection is often called keep alive. It is also possible to send more than one (usually between two and five) requests before getting responses from previous requests. This is called pipelining.
There is a HTTP/1.0 extension for connection persistence, but its utility is limited due to HTTP/1.0's lack of unambiguous rules for delimiting messages. This extension uses a header called Keep-Alive, while the HTTP/1.1 connection persistence uses the Connection header. Therefore a HTTP/1.1 may choose to support either just HTTP/1.1 connection persistence, or both HTTP/1.0 and HTTP/1.1 connection persistence. Some HTTP/1.1 clients and servers do not implement connection persistence or have it disabled in their configuration.
HTTP connection closing
Both HTTP servers and clients are allowed to close TCP/IP connections at any time (i.e. depending on their settings, their load, etc.). This feature makes HTTP ideal for the World Wide Web, where pages regularly link to many other pages on the same server or to external servers.
Closing an HTTP/1.1 connection can be a much longer operation (from 200 milliseconds up to several seconds) than closing an HTTP/1.0 connection, because the first usually needs a linger close while the second can be immediately closed as soon as the entire first request has been read and the full response has been sent.
HTTP session state
HTTP can occasionally pose problems for Web developers (Web Applications), because HTTP is stateless. The advantage of a stateless protocol is that hosts don't need to retain information about users between requests, but this forces the use of alternative methods for maintaining users' state, for example, when a host would like to customize content for a user who has visited before. The common method for solving this problem involves the use of sending and requesting cookies. Other methods are session control, hidden variables, etc.
Secure HTTP
There are currently two methods of establishing a secure HTTP connection: the https URI scheme and the HTTP 1.1 Upgrade header. The https URI scheme has been deprecated by RFC 2817, which introduced the Upgrade header; however, as browser support for the Upgrade header is nearly non-existent, the https URI scheme is still the dominant method of establishing a secure HTTP connection.
https URI Scheme
Main article: https
https: is a URI scheme syntactically identical to the http: scheme used for normal HTTP connections, but which signals the browser to use an added encryption layer of SSL/TLS to protect the traffic. SSL is especially suited for HTTP since it can provide some protection even if only one side to the communication is authenticated. In the case of HTTP transactions over the Internet, typically only the server side is authenticated.
HTTP 1.1 Upgrade Header
HTTP 1.1 introduced support for the Upgrade header. In the exchange, the client begins by making a clear-text request, which is later upgraded to TLS. Either the client or the server may request (or demand) that the connection be upgraded. The most common usage is a clear-text request by the client followed by a server demand to upgrade the connection, which looks like this:
Request message
The request message consists of the following:
Request line, such as GET /images/logo.gif HTTP/1.1, which requests the file logo.gif from the /images directory
Headers, such as Accept-Language: en
An empty line
An optional message body
The request line and headers must all end with CRLF (i.e. a carriage return followed by a line feed). The empty line must consist of only CRLF and no other whitespace.
Some headers are optional, while some others (such as Host) are required by the HTTP/1.1 protocol.
Request methods
HTTP defines eight methods (sometimes referred to as "verbs") indicating the desired action to be performed on the identified resource.
HEAD
Asks for the response identical to the one that would correspond to a GET request, but without the response body. This is useful for retrieving meta-information written in response headers, without having to transport the entire content.
GET
Requests a representation of the specified resource. By far the most common method used on the Web today.
POST
Submits user data (e.g. from a HTML form) to the identified resource. The data is included in the body of the request.
PUT
Uploads a representation of the specified resource.
DELETE
Deletes the specified resource (rarely implemented).
TRACE
Echoes back the received request, so that a client can see what intermediate servers are adding or changing in the request.
OPTIONS
Returns the HTTP methods that the server supports. This can be used to check the functionality of a web server.
CONNECT
For use with a proxy that can change to being an SSL tunnel.
HTTP servers are supposed to implement at least GET and HEAD methods and, whenever possible, also OPTIONS method.
Safe methods
Methods GET and HEAD are defined as safe, i.e. intended only for information retrieval and not changing the state of the server (called the side-effect of the request). Unsafe methods (such as POST, PUT and DELETE) should be displayed to the user in a special way, normally as buttons rather than links, thus making the user aware of possible obligations (e.g. financial transaction).
Despite the required safety of GET requests, in practice they can cause changes on the server. For example, an HTML page may use a simple hyperlink to initiate deletion of a domain database record, thus causing a change of the server's state as a side-effect of a GET request. This behavior is architecturally discouraged (such actions should be designed using a POST request) but is fairly common on the Web. Such behavior can cause problems because various schemes for caching web pages, such as search engines, which by design GET pages before a user initiates a request, can cause unintentional changes on a server. According to the specification, if the server makes such transactions after a safe request, the client-side software cannot be held accountable for them.
Idempotent methods
Methods GET, HEAD, PUT and DELETE are defined to be idempotent, meaning that multiple identical requests should have the same effect as a single request. Methods OPTIONS and TRACE, being safe, are inherently idempotent.
HTTP versions
HTTP has evolved into multiple, mostly backwards-compatible protocol versions. RFC 2145 describes the use of HTTP version numbers. Basically, the client tells in the beginning of the request the version it uses, and the server uses the same or earlier version in the response.
0.9
Deprecated. Only supports one command, GET — which does not specify the HTTP version. Does not support headers. Since this version does not support POST, the client can't pass much information to the server.
HTTP/1.0
This is the first protocol revision to specify its version in communications and is still in wide use, especially by proxy servers. Allows persistent connections (alias keep-alive connections, more than one request-response per TCP/IP connection) when explicitly negotiated; however, this only works well when not using proxy servers.
HTTP/1.1
Current version; persistent connections enabled by default and works well with proxies. Also supports request pipelining, allowing multiple requests to be sent at the same time, allowing the server to prepare for the workload and potentially transfer the requested resources more quickly to the client.
HTTP/1.2
The initial 1995 working drafts of PEP — an Extension Mechanism for HTTP prepared by W3C and submitted to IETF were aiming to become a distinguishing feature of HTTP/1.2. In later PEP working drafts however the reference to HTTP/1.2 was removed. PEP later became subsumed by the experimental RFC 2774 — HTTP Extension Framework.
Status codes
See also: List of HTTP status codes
In HTTP/1.0 and since, the first line of the HTTP response is called the status line and includes a numeric status code (such as "200") and a textual reason phrase (such as "OK"). The way the user agent handles the response primarily depends on the code and secondarily on the response headers. Custom status codes can be used since if the user agent encounters a code it does not recognize, it can use the first digit of the code to determine the general class of the response. [1]
Also, the standard reason phrases are only recommendations and can be replaced with "local equivalents" at the web developer's discretion. If the status code indicated a problem, the user agent might display the reason phrase to the user to provide further information about the nature of the problem. The standard also allows the user agent to attempt to interpret the reason phrase, though this might be unwise since the standard explicitly specifies that status codes are machine-readable and reason phrases are human-readable.
HTTP connection persistence
In HTTP/0.9 and HTTP/1.0, a client sends a request to the server, the server sends a response back to the client. After this, the connection is closed. HTTP/1.1, however, supports persistent connections. This enables the client to send a request and get a response, and then send additional requests and get additional responses. The TCP connection is not released for the multiple additional requests, so the relative overhead due to TCP is much less per request. The use of persistent connection is often called keep alive. It is also possible to send more than one (usually between two and five) requests before getting responses from previous requests. This is called pipelining.
There is a HTTP/1.0 extension for connection persistence, but its utility is limited due to HTTP/1.0's lack of unambiguous rules for delimiting messages. This extension uses a header called Keep-Alive, while the HTTP/1.1 connection persistence uses the Connection header. Therefore a HTTP/1.1 may choose to support either just HTTP/1.1 connection persistence, or both HTTP/1.0 and HTTP/1.1 connection persistence. Some HTTP/1.1 clients and servers do not implement connection persistence or have it disabled in their configuration.
HTTP connection closing
Both HTTP servers and clients are allowed to close TCP/IP connections at any time (i.e. depending on their settings, their load, etc.). This feature makes HTTP ideal for the World Wide Web, where pages regularly link to many other pages on the same server or to external servers.
Closing an HTTP/1.1 connection can be a much longer operation (from 200 milliseconds up to several seconds) than closing an HTTP/1.0 connection, because the first usually needs a linger close while the second can be immediately closed as soon as the entire first request has been read and the full response has been sent.
HTTP session state
HTTP can occasionally pose problems for Web developers (Web Applications), because HTTP is stateless. The advantage of a stateless protocol is that hosts don't need to retain information about users between requests, but this forces the use of alternative methods for maintaining users' state, for example, when a host would like to customize content for a user who has visited before. The common method for solving this problem involves the use of sending and requesting cookies. Other methods are session control, hidden variables, etc.
Secure HTTP
There are currently two methods of establishing a secure HTTP connection: the https URI scheme and the HTTP 1.1 Upgrade header. The https URI scheme has been deprecated by RFC 2817, which introduced the Upgrade header; however, as browser support for the Upgrade header is nearly non-existent, the https URI scheme is still the dominant method of establishing a secure HTTP connection.
https URI Scheme
Main article: https
https: is a URI scheme syntactically identical to the http: scheme used for normal HTTP connections, but which signals the browser to use an added encryption layer of SSL/TLS to protect the traffic. SSL is especially suited for HTTP since it can provide some protection even if only one side to the communication is authenticated. In the case of HTTP transactions over the Internet, typically only the server side is authenticated.
HTTP 1.1 Upgrade Header
HTTP 1.1 introduced support for the Upgrade header. In the exchange, the client begins by making a clear-text request, which is later upgraded to TLS. Either the client or the server may request (or demand) that the connection be upgraded. The most common usage is a clear-text request by the client followed by a server demand to upgrade the connection, which looks like this
Client:
GET /encrypted-area HTTP/1.1
Host: www.example.com