HTTP/1.1 Upgrade header
   HOME

TheInfoList



Click Here for Items Related To - HTTP/1.1 Upgrade header
OR:
HTTP/1.1 Upgrade header on:   [Wikipedia]   [Google]   [Amazon]

The Upgrade header field is an HTTP header field introduced in HTTP/1.1. In the exchange, the client begins by making a cleartext request, which is later upgraded to a newer
HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide We ...
protocol version or switched to a different protocol. A connection upgrade must be requested by the client; if the server wants to enforce an upgrade it may send a 426 Upgrade Required response. The client can then send a new request with the appropriate upgrade headers while keeping the connection open.


Use with TLS

One use is to begin a request on the normal HTTP port but switch to
Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
(TLS). In practice such use is rare, with
HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
being a far more common way to initiate encrypted HTTP. The server returns a 426 status code to alert legacy clients that the failure was client-related (400 level codes indicate a client failure). This method for establishing a secure connection is advantageous because it: * Does not require messy and problematic
URL redirection URL redirection, also called URL forwarding, is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened ...
on the server side; * Enables
virtual hosting Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool of servers). This allows one server to share its resources, such as memory and processor cycles, without requiring al ...
of secured websites (although HTTPS also allows this using
Server Name Indication Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a serv ...
); and * Reduces the potential for user confusion by providing a single way to access a particular resource. If the same resources are available from the server via both encrypted secure means and unencrypted clear means, a
man-in-the-middle In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
may maintain an unencrypted and unauthenticated connection with the client while maintaining an encrypted connection with the server. Disadvantages of this method include: * The client cannot specify the requirement for a secure HTTP in the URI (though the client can require such via the upgrade negotiation); and * Since HTTP is defined on a hop basis, HTTP tunneling may be required to bypass proxy servers.


Use with WebSocket

WebSocket WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection. The WebSocket protocol was standardized by the IETF as in 2011. The current API specification allowing web applications ...
also uses this mechanism to set up a connection with a HTTP server in a compatible way. The WebSocket Protocol has two parts: a
handshake A handshake is a globally widespread, brief greeting or parting tradition in which two people grasp one of each other's like hands, in most cases accompanied by a brief up-and-down movement of the grasped hands. Customs surrounding handshakes a ...
to establish the upgraded connection, then the actual data transfer. First, a client requests a WebSocket connection by using the Upgrade: WebSocket and Connection: Upgrade headers, along with a few protocol-specific headers to establish the version being used and set up a handshake. The server, if it supports the protocol, replies with the same Upgrade: WebSocket and Connection: Upgrade headers and completes the handshake. Once the handshake is completed successfully, data transfer begins.


Use with HTTP/2

The HTTP Upgrade mechanism is used to establish
HTTP/2 HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google. HTTP/2 was developed by the HTTP Working ...
starting from plain HTTP. The client starts an HTTP/1.1 connection and sends an Upgrade: h2c header. If the server supports HTTP/2, it replies with HTTP 101 Switching Protocol status code. The HTTP Upgrade mechanism is used only for cleartext HTTP2 (h2c). In the case of HTTP2 over TLS (h2), the ALPN TLS protocol extension is used instead.


See also

*
Opportunistic encryption Opportunistic encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt communications channels, otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two ...
* Secure Hypertext Transfer Protocol


References


External links


Hypertext Transfer Protocol (HTTP) Upgrade Token Registry
at IANA {{DEFAULTSORT:HTTP 1.1 Upgrade header Upgrade header Cryptographic protocols