HTTP/2 (originally named HTTP/2.0) is a major revision of the

HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...

network protocol used by the

World Wide Web The World Wide Web (WWW or simply the Web) is an information system that enables Content (media), content sharing over the Internet through user-friendly ways meant to appeal to users beyond Information technology, IT specialists and hobbyis ...

. It was derived from the earlier experimental

SPDY SPDY (pronounced "speedy") is an obsolete open-specification communication protocol developed for transporting web content. SPDY became the basis for HTTP/2 specification. However, HTTP/2 diverged from SPDY and eventually HTTP/2 subsumed all use ...

protocol, originally developed by

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

. HTTP/2 was developed by the HTTP Working Group (also called httpbis, where "" means "twice") of the

Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...

(IETF). HTTP/2 is the first new version of HTTP since HTTP/1.1, which was standardized in in 1997. The Working Group presented HTTP/2 to the

Internet Engineering Steering Group The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and ...

(IESG) for consideration as a Proposed Standard in December 2014, and IESG approved it to publish as Proposed Standard on February 17, 2015 (and was updated in February 2020 in regard to TLS 1.3 and again in June 2022). The initial HTTP/2 specification was published as on May 14, 2015. The standardization effort was supported by Chrome, Opera, Firefox, Internet Explorer 11, Safari, Amazon Silk, and Edge browsers. Most major browsers had added HTTP/2 support by the end of 2015. About 97% of web browsers used have the capability (and 100% of "tracked desktop" web browsers). , 36% (after topping out at just over 50%) of the top 10 million websites support HTTP/2. Its successor is

HTTP/3 HTTP/3 is the third major version of the Hypertext Transfer Protocol used to exchange information on the World Wide Web, complementing the widely deployed HTTP/1.1 and HTTP/2. Unlike previous versions which relied on the well-established TCP ...

, a major revision that builds on the concepts established by HTTP/2.

Goals

The working group charter mentions several goals and issues of concern: * Create a negotiation mechanism that allows clients and servers to elect to use HTTP/1.1, 2.0, or potentially other non-HTTP protocols. * Maintain high-level compatibility with HTTP/1.1 (for example with

methods Method (, methodos, from μετά/meta "in pursuit or quest of" + ὁδός/hodos "a method, system; a way or manner" of doing, saying, etc.), literally means a pursuit of knowledge, investigation, mode of prosecuting such inquiry, or system. In re ...

, status codes,

URI Uri may refer to: Places * Canton of Uri, a canton in Switzerland * Úri, a village and commune in Hungary * Uri, Iran, a village in East Azerbaijan Province * Uri, Jammu and Kashmir, a town in India * Uri (island), off Malakula Island in V ...

s, and most header fields). * Decrease latency to improve page load speed in

web browser A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...

s by considering: **

data compression In information theory, data compression, source coding, or bit-rate reduction is the process of encoding information using fewer bits than the original representation. Any particular compression is either lossy or lossless. Lossless compressi ...

HTTP header HTTP header fields are a list of strings sent and received by both the client program and server on every HTTP request and response. These headers are usually invisible to the end-user and are only processed or logged by the server and client ...

s **

HTTP/2 Server Push HTTP/2 Server Push is an optional feature of the HTTP/2 and HTTP/3 network protocols that allows servers to send resources to a client before the client requests them. Server Push is a performance technique aimed at reducing latency by sending ...

** prioritization of requests **

multiplexing In telecommunications and computer networking, multiplexing (sometimes contracted to muxing) is a method by which multiple analog or digital signals are combined into one signal over a shared medium. The aim is to share a scarce resource� ...

multiple requests over a single TCP connection (fixing the HTTP-transaction-level

head-of-line blocking Head-of-line blocking (HOL blocking) in computer networking is a performance-limiting phenomenon that occurs when a queue of packets is held up by the first packet in the queue. This occurs, for example, in input-buffered network switches, out-o ...

problem in HTTP 1.x) * Support common existing use cases of HTTP, such as desktop web browsers, mobile web browsers, web APIs,

web server A web server is computer software and underlying Computer hardware, hardware that accepts requests via Hypertext Transfer Protocol, HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, co ...

s at various scales, proxy servers,

reverse proxy In computer networks, a reverse proxy or surrogate server is a proxy server that appears to any client to be an ordinary web server, but in reality merely acts as an intermediary that forwards the client's requests to one or more ordinary web s ...

servers, firewalls, and

content delivery network A content delivery network (CDN) or content distribution network is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance ("speed") by distributing the service spat ...

Differences from HTTP/1.1

The proposed changes do not require any changes to how existing web applications work, but new applications can take advantage of new features for increased speed. HTTP/2 leaves all of HTTP/1.1's high-level semantics, such as

, status codes, header fields, and

s, the same. What is new is how the data is framed and transported between the client and the server. Websites that are efficient minimize the number of requests required to render an entire page by minifying (reducing the amount of code and packing smaller pieces of code into bundles, without reducing its ability to function) resources such as images and scripts. However, minification is not necessarily convenient nor efficient and may still require separate HTTP connections to get the page and the minified resources. HTTP/2 allows the server to "push" content, that is, to respond with data for more queries than the client requested. This allows the server to supply data it knows a web browser will need to render a web page, without waiting for the browser to examine the first response, and without the overhead of an additional request cycle. Additional performance improvements in the first draft of HTTP/2 (which was a copy of SPDY) come from

of requests and responses to avoid some of the

problem in HTTP 1 (even when

HTTP pipelining HTTP pipelining is a feature of HTTP/1.1, which allows multiple HTTP requests to be sent over a single TCP connection without waiting for the corresponding responses. HTTP/1.1 requires servers to respond to pipelined requests correctly, with non ...

is used), header

compression Compression may refer to: Physical science *Compression (physics), size reduction due to forces *Compression member, a structural element such as a column *Compressibility, susceptibility to compression * Gas compression *Compression ratio, of a ...

, and prioritization of requests. However, as HTTP/2 runs on top of a single TCP connection there is still potential for head-of-line blocking to occur if TCP packets are lost or delayed in transmission. HTTP/2 no longer supports HTTP/1.1's

chunked transfer encoding Chunked transfer encoding is a streaming data transfer mechanism available in Hypertext Transfer Protocol (HTTP) version 1.1, defined in RFC 9112 §7.1. In chunked transfer encoding, the data stream is divided into a series of non-overlapping "ch ...

mechanism, as it provides its own, more efficient, mechanisms for data streaming.

History

Genesis in and later differences from SPDY

(pronounced like "speedy") was a previous HTTP-replacement protocol developed by a research project spearheaded by

. Primarily focused on reducing latency, SPDY uses the same TCP pipe but different protocols to accomplish this reduction. The basic changes made to HTTP/1.1 to create SPDY included "true request pipelining without FIFO restrictions, message framing mechanism to simplify client and server development, mandatory compression (including headers), priority scheduling, and even bi-directional communication". The HTTP Working Group considered Google's SPDY protocol,

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

HTTP Speed+Mobility HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...

proposal (SPDY based), and Network-Friendly HTTP Upgrade. In July 2012,

Facebook Facebook is a social media and social networking service owned by the American technology conglomerate Meta Platforms, Meta. Created in 2004 by Mark Zuckerberg with four other Harvard College students and roommates, Eduardo Saverin, Andre ...

provided feedback on each of the proposals and recommended HTTP/2 be based on SPDY. The initial draft of HTTP/2 was published in November 2012 and was based on a straight copy of SPDY. The biggest difference between HTTP/1.1 and SPDY was that each user action in SPDY is given a "stream ID", meaning there is a single TCP channel connecting the user to the server. SPDY split requests into either control or data, using a "simple to parse binary protocol with two types of frames". SPDY showed evident improvement over HTTP, with a new page load speedup ranging from 11% to 47%. The development of HTTP/2 used SPDY as a jumping-off point. Among the many detailed differences between the protocols, the most notable is that HTTP/2 uses a fixed

Huffman code In computer science and information theory, a Huffman code is a particular type of optimal prefix code that is commonly used for lossless data compression. The process of finding or using such a code is Huffman coding, an algorithm developed by ...

-based header compression algorithm, instead of SPDY's dynamic stream-based compression. This helps to reduce the potential for compression oracle attacks on the protocol, such as the

CRIME In ordinary language, a crime is an unlawful act punishable by a State (polity), state or other authority. The term ''crime'' does not, in modern criminal law, have any simple and universally accepted definition,Farmer, Lindsay: "Crime, definiti ...

attack. On February 9, 2015, Google announced plans to remove support for SPDY in Chrome in favor of support for HTTP/2. This took effect starting with Chrome 51.

Development milestones

Encryption

HTTP/2 is defined both for HTTP URIs (i.e. without TLS

encryption In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...

, a configuration which is abbreviated in ) and for HTTPS URIs (over TLS using ALPN extension where

TLS 1.2 Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, ...

or newer is required, a configuration which is abbreviated in ). Although the standard itself does not require usage of encryption, all major client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

Criticisms

Development process

The

FreeBSD FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable ...

and

Varnish Varnish is a clear Transparency (optics), transparent hard protective coating or film. It is not to be confused with wood stain. It usually has a yellowish shade due to the manufacturing process and materials used, but it may also be pigmente ...

developer

Poul-Henning Kamp Poul-Henning Kamp () is a Danish computer software developer known for work on various projects including FreeBSD and Varnish cache, Varnish. He currently resides in Slagelse, Denmark. Involvement in the FreeBSD project Poul-Henning Kamp has bee ...

asserts that the standard was prepared on an unrealistically short schedule, ruling out any basis for the new HTTP/2 other than the SPDY protocol and resulting in other missed opportunities for improvement. Kamp criticizes the protocol itself for being inconsistent and having needless, overwhelming complexity. He also states that the protocol violates the protocol layering principle, for example by duplicating flow control that belongs in the transport layer (TCP). He also suggested that the new protocol should have removed

HTTP Cookies HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small block of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web br ...

, introducing a breaking change.

Encryption

Initially, some members of the Working Group tried to introduce an encryption requirement in the protocol. This faced criticism. Critics stated that encryption has non-negligible computing costs and that many HTTP applications actually have no need for encryption and their providers have no desire to spend additional resources on it. Encryption proponents have stated that this encryption overhead is negligible in practice.

has criticized the IETF for hastily standardizing Google's SPDY prototype as HTTP/2 due to political considerations. The criticism of the agenda of mandatory encryption within the existing certificate framework is not new, nor is it unique to members of the open-source community a

Cisco Cisco Systems, Inc. (using the trademark Cisco) is an American multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, s ...

employee stated in 2013 that the present certificate model is not compatible with small devices like routers, because the present model requires not only annual enrollment and remission of non-trivial fees for each certificate, but must be continually repeated on an annual basis. In the end the Working Group did not reach consensus over the mandatory encryption, although most client implementations require it, which makes encryption a ''de facto'' requirement. The HTTP/2 protocol also faced criticism for not supporting

opportunistic encryption Opportunistic encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt communications channels, otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two ...

, a measure against

passive monitoring Passive monitoring is a technique used to capture traffic from a network by copying traffic, often from a span port or mirror port or via a network tap. It can be used in application performance management for performance trending and predictive ...

similar to the STARTTLS mechanism that has long been available in other Internet protocols like

SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typi ...

. Critics have stated that the HTTP/2 proposal goes in violation of IETF's own "Pervasive Monitoring Is an Attack", which also has a status of

Best Current Practice A best current practice, abbreviated as BCP, is a ''de facto'' level of performance in engineering and information technology. It is more flexible than a standard, since techniques and tools are continually evolving. The Internet Engineering Tas ...

188. RFC7258/BCP188 mandates that passive monitoring be considered as an attack, and protocols designed by IETF should take steps to protect against passive monitoring (for example, through the use of opportunistic encryption). A number of specifications for opportunistic encryption of HTTP/2 have been provided, of which draft-nottingham-http2-encryption was adopted as an official work item of the working group, leading to the publication of in May 2017.

TCP head-of-line blocking

Although the design of HTTP/2 effectively addresses the HTTP-transaction-level

problem by allowing multiple concurrent HTTP transactions, all those transactions are multiplexed over a single TCP connection, meaning that any packet-level head-of-line blocking of the TCP stream simultaneously blocks all transactions being accessed via that connection. This head-of-line blocking in HTTP/2 is now widely regarded as a design flaw, and much of the effort behind

QUIC QUIC () is a general-purpose transport layer network protocol initially designed by Jim Roskind at Google. It was first implemented and deployed in 2012 and was publicly announced in 2013 as experimentation broadened. It was also described at an ...

and

has been devoted to reduce head-of-line blocking issues.

Server-side support

Server software

The following web servers support HTTP/2: *

Apache httpd The Apache HTTP Server ( ) is a free and open-source cross-platform web server, released under the terms of Apache License 2.0. It is developed and maintained by a community of developers under the auspices of the Apache Software Foundation. T ...

2.4.12 supports HTTP/2 via the module mod_h2, although appropriate patches must be applied to the source code of the server in order for it to support that module. As of Apache 2.4.17 all patches are included in the main Apache source tree, although the module itself was renamed mod_http2. Old versions of SPDY were supported via the module mod_spdy, however the development of the mod_spdy module has stopped. *

Apache Tomcat Apache Tomcat (called "Tomcat" for short) is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a "pure Java" HTTP web server environment in which Java code can also ...

8.5 (requires a configuration change) *

Apache Traffic Server The Apache Traffic Server (ATS) is a modular, high-performance reverse proxy and forward proxy server, generally comparable to Nginx and Squid. It was created by Inktomi, and distributed as a commercial product called the Inktomi Traffic Se ...

* Caddy *

Charles Proxy Charles Web Debugging Proxy is a cross-platform HTTP debugging proxy server application written in Java. It enables the user to view HTTP, HTTPS, HTTP/2 and enabled TCP port traffic accessed from, to, or via the local computer. This includes r ...

since version Charles 4. * Citrix NetScaler 11.x * Sucuri * F5 BIG-IP Local Traffic Manager 11.6 *

Barracuda Networks Barracuda Networks, Inc. provides security, networking and storage products based on network appliances and cloud services. History Barracuda Networks was founded in 2003 by CEO Dean Drako, Michael Perone, and Zach Levow, and the company int ...

WAF (Web Application Firewall) * h2o (built from the ground up for HTTP/2 support) *

HAProxy HAProxy is a free and open source software that provides a high availability load balancer and Proxy ( forward proxy, reverse proxy) for TCP and HTTP-based applications that spreads requests across multiple servers. It is written in C and has ...

1.8 *

Jetty A jetty is a man-made structure that protrudes from land out into water. A jetty may serve as a breakwater (structure), breakwater, as a walkway, or both; or, in pairs, as a means of constricting a channel. The term derives from the French la ...

9.3 *

lighttpd lighttpd (prescribed pronunciation: "lighty") is an open-source web server optimized for speed-critical environments while remaining standards-compliant, secure and flexible. It was originally written by Jan Kneschke as a proof-of-concept of the ...

1.4.56 * LiteSpeed Web Server 5.0 *

Microsoft IIS Microsoft IIS (Internet Information Services, IIS, 2S) is an extensible web server created by Microsoft for use with the Windows NT family. IIS supports HTTP, HTTP/2, HTTP/3, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of th ...

(in Windows 10,

Windows Server 2016 Windows Server 2016 is the eleventh major version of the Windows NT operating system produced by Microsoft to be released under the Windows Server brand name. It was developed alongside Windows 10 and is the successor to the Windows 8.1-based ...

, and

Windows Server 2019 Windows Server 2019 is the twelfth major version of the Windows NT operating system produced by Microsoft to be released under the Windows Server brand name. It is the second version of the server operating system based on the Windows 10 plat ...

) * Netty 4.1 * nghttpd (exclusively implements HTTP/2) *

nginx (pronounced "engine x" , stylized as NGINX or nginx) is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Russian developer Igor Sysoev and publicly released in 20 ...

1.9.5 released on September 22, 2015, using module ngx_http_v2_module and

since version 1.13.9 on February 20, 2018. * Node.js 8.13.0 (A separate module is available for Node.js 5.0 and Node 8.4 introduced experimental built-in support for HTTP/2.)
Kestrel web server
for ASP.NET Core supports HTTP/2 since .NET Core 2.2.0-preview 1. * OpenLiteSpeed 1.3.11 and 1.4.8
Proxygen
* Pulse Secure Virtual Traffic Manager 10.2 *

Radware Radware Ltd. is an American provider of cybersecurity and application delivery products for physical, cloud and software-defined data centers. Radware's corporate headquarters are located in Mahwah, New Jersey. The company also has offices in E ...

Alteon NG *

ShimmerCat ShimmerCat was a web server designed from ground-up for HTTP/2 and written in Haskell; it now appears to be an image optimization and distribution service. The purported purpose of the server was to take full advantage of HTTP/2 features, includi ...

Vert.x Eclipse Vert.x is a Polyglot (computing), polyglot event-driven architecture, event-driven application framework that runs on the Java Virtual Machine. Similar environments written in other programming languages include Node.js for JavaScript, Tw ...

3.3 * Warp (

Haskell Haskell () is a general-purpose, statically typed, purely functional programming language with type inference and lazy evaluation. Designed for teaching, research, and industrial applications, Haskell pioneered several programming language ...

web server, used by default in

Yesod Yesod (Hebrew: יְסוֹד ''Yəsōḏ'', Tiberian: ''Yăsōḏ'', "foundation") is a sephirah or node in the kabbalistic Tree of Life, a system of Jewish philosophy. Yesod, located near the base of the Tree, is the sephirah below Hod and ...

) * Wildfly 9
Envoy proxy

Content delivery networks

* Akamai was the first major CDN to support HTTP/2 and

. *

Microsoft Azure Microsoft Azure, or just Azure ( /ˈæʒər, ˈeɪʒər/ ''AZH-ər, AY-zhər'', UK also /ˈæzjʊər, ˈeɪzjʊər/ ''AZ-ure, AY-zure''), is the cloud computing platform developed by Microsoft. It has management, access and development of ...

supports HTTP/2. * PageCDN supports HTTP/2 out of the box and provides user-interface to setup HTTP/2 Server Push in CDN dashboard. * CDN77 supports HTTP/2 using nginx (August 20, 2015). *

Cloudflare Cloudflare, Inc., is an American company that provides content delivery network services, cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, ICANN-accredited domain registration, and other se ...

supports HTTP/2 using nginx with SPDY as a fallback for browsers without support, whilst maintaining all security and performance services. Cloudflare was the first major CDN to support

. * AWS CloudFront supports HTTP/2 since September 7, 2016. *

Fastly Fastly, Inc. is an American company based in San Francisco, which describes itself as a cloud computing company. Fastly provides content delivery network services, image optimization, and load balancing services. Fastly's cloud security services ...

supports HTTP/2 including Server Push. * Imperva Incapsula CDN supports HTTP/2. The implementation includes support for WAF and DDoS mitigation features as well. * KeyCDN supports HTTP/2 using nginx (October 6, 2015)
HTTP/2 Test
is a test page to verify if your server supports HTTP/2. * BrandSSL supports HTTP/2. * Voxility supports HTTP/2 using nginx since July, 2016. The implementation comes in support for Cloud DDoS mitigation services. *

StackPath StackPath was an American edge computing platform provider headquartered in Dallas, Texas. Its founding team was led by Lance Crosby, who also co-founded SoftLayer Technologies, acquired by IBM in 2013. Acquisitions * MaxCDN ( CDN), 2016 * St ...

supports HTTP/2.

Implementations

* Other implementations are collected on th
GitHub HTTP/2 wiki

References

External links

* * * – Hypertext Transfer Protocol version 2 (HTTP/2) * – HPACK: Header Compression for HTTP/2
HTTP/2 explained
(

Daniel Stenberg Magnus Daniel Stenberg is a Swedish developer and recipient of the 2017 Polhem Prize (for a high-level technological innovation or an ingenious solution to a technical problem) for his work on the cURL utility. Stenberg was born and raised in Hu ...

) * /tools.ietf.org/html/draft-mbelshe-httpbis-spdy-00 SPDY Protocol(draft-mbelshe-httpbis-spdy-00) * /tools.ietf.org/html/draft-montenegro-httpbis-speed-mobility-01 HTTP Speed+Mobility(draft-Montenegro-httpbis-speed-mobility-01) * /tools.ietf.org/html/draft-tarreau-httpbis-network-friendly-00 Proposal for a Network-Friendly HTTP Upgrade(draft-tarreau-httpbis-network-friendly-00) {{DEFAULTSORT:HTTP 2 Hypertext Transfer Protocol Application layer protocols Internet properties established in 2015

Goals

Differences from HTTP/1.1

History

Genesis in and later differences from SPDY

Development milestones

Encryption

Criticisms

Development process

Encryption

TCP head-of-line blocking

Server-side support

Server software

Content delivery networks

Implementations

See also

References

External links