This section describes messages for HTTP/1.1. Later versions,
HTTP/2 and
HTTP/3, use a
binary protocol, where headers are encoded in a single HEADERS and zero or more CONTINUATION frames using HPACK (HTTP/2) or QPACK (HTTP/3), which both provide efficient header compression. The request or response line from HTTP/1 has also been replaced by several pseudo-header fields, each beginning with a colon (:). At the highest level, a message consists of a header followed by a body.
Header A header consists of lines of
ASCII text; each terminated with a
carriage return and
line feed sequence. The layout for both a request and a response header is: ; Start line: Structured data that differs for request vs. response. ; Header fields: Zero or more
header field lines (at least 1 for HTTP/1.1); see below. ; Empty line: Marks the end of the header.
Body A body consists of data in any format; not limited to ASCII. The format must match that specified by the header field if the message contains one. A body is optional or, in other words, can be blank.
Entity Before HTTP/2, the term
entity was used to mean the body plus header fields that describe the body. In particular, not all headers were considered part of the entity. The term
entity header referred to a header that was considered part of the entity, and sometimes the body was called the
entity body. Modern documentation uses
body and
header without using
entity.
Header field A header field represents
metadata about the containing message. Examples include how the body is encoded (via
Content-Encoding), session verification and identification of the client (as in
browser cookies, IP address,
user-agent) or their anonymity thereof (VPN or proxy masking, user-agent spoofing), how the server should handle data (as in
Do-Not-Track or
Global Privacy Control), and the age (the time it has resided in a shared
cache) of the document being downloaded. Generally, the information of a header field is used by
software and not shown to the
user. A header field line is formatted as a
name-value pair with a colon separator.
Whitespace is not allowed around the name, but leading and trailing whitespace is ignored for the value part. Unlike a method name that must match exactly (case-sensitive), a header field name is matched ignoring case although often shown with each word capitalized. For example, the following are header fields for and . Host: www.example.com Accept-Language: en The standards do not limit the size of a header field or the number of fields in a message. However, most servers, clients, and proxy software impose limits for practical and security reasons. For example, the Apache 2.3 server by default limits the size of each field to 8190 bytes, and there can be at most 100 header fields in a single request. Although deprecated by RFC 7230, in the past, long lines could be split into multiple lines with a continuation line starting with a
space or
tab character.
Request A request is sent by a client to a server. The start line includes a method name, a request URI and the protocol version with a single space between each field. The following request start line specifies method , URI and protocol version : GET /customer/123 HTTP/1.1
Request header fields allow the client to pass additional information beyond the request line, acting as request modifiers (similarly to the parameters of a procedure). They give information about the client, about the target resource, or about the expected handling of the request. In the HTTP/1.1 protocol, all header fields except Host are optional. A request line containing only the path name is accepted by servers to maintain compatibility with HTTP clients before the HTTP/1.0 specification in .
Resource The protocol structures transaction as operating on resources. What a resource represents, whether pre-existing data or data that is generated dynamically, depends on the implementation of the server. Often, the resource corresponds to a file or the output of an executable running on the server.
Method A request identifies a method (sometimes informally called
verb) to classify the desired action to be performed on a resource. The HTTP/1.0 specification defined the GET, HEAD, and POST methods as well as listing the PUT, DELETE, LINK and UNLINK methods under additional methods. However, the HTTP/1.1 specification added five new methods: PUT, DELETE, CONNECT, OPTIONS, and TRACE. Any client can use any method and the server can be configured to support any combination of methods. If a method is unknown to an intermediate, it will be treated as an unsafe and
non-idempotent method. There is no limit to the number of methods that can be defined, which allows for future methods to be specified without breaking existing infrastructure. For example,
WebDAV defined seven new methods and specified the
PATCH method. A general-purpose web server is required to implement at least GET and HEAD, and all other methods are considered optional by the specification. Method names are case sensitive. This is in contrast to HTTP header field names which are case-insensitive. ; GET: The request is for a representation of a resource. The server should only
retrieve data; not modify state. ; HEAD: The request is like a GET except that the response should
not include the representation data in the body. This is useful for retrieving the representation
metadata in the response header, without having to transfer the entire representation. Uses include checking whether a page is available via the status code and getting the size of a
file via header field Content-Length. ;
POST: The request is to process a resource in some way. For example, it is used for posting a message to an
Internet forum, subscribing to a
mailing list, or completing an
online shopping transaction. ; PUT: The request is to create or update a resource with the state in the request. A distinction from POST is that the client specifies the target location on the server. ; DELETE: The request is to delete a resource. ; CONNECT: Requests that the intermediary establish a
TCP/IP tunnel to the origin server identified by the request target. It is often used to secure connections through one or more
HTTP proxies with
TLS. See
HTTP CONNECT method. ; OPTIONS: Request is for a report of the HTTP methods that are supported for a resource. This can be used to check the functionality of a web server by requesting '*' instead of a specific resource. ; TRACE: Requests the server to respond with the received request in the response body. That way a client can see what (if any) changes or additions have been made by intermediaries. Useful for debugging. ;
PATCH: The request is to modify a resource according to its partial state in the request. Compared to PUT, this can save bandwidth by sending only part of a resource's representation instead of all of it.
Safe method A request method is
safe if a request with that method has no intended effect on the server. The methods GET, HEAD, OPTIONS, and TRACE are defined as safe. In other words, safe methods are intended to be
read-only. Safe methods can still have
side effects not seen by the client, such as appending request information to a
log file or charging an
advertising account. In contrast, the methods POST, PUT, DELETE, CONNECT, and PATCH are not safe. They may modify the state of the server or have other effects such as sending an
email. Such methods are therefore not usually used by conforming
web robots or web crawlers; some that do not conform tend to make requests without regard to context or consequences. Despite the prescribed safety of GET requests, in practice their handling by the server is not technically limited in any way. Careless or deliberately irregular programming can allow GET requests to cause non-trivial changes on the server. This is discouraged because of the problems which can occur when
web caching,
search engines, and other automated agents make unintended changes on the server. For example, a website might allow deletion of a resource through a URL such as
https://example.com/article/1234/delete, which, if arbitrarily fetched, even using GET, would simply delete the article. A properly coded website would require a DELETE or POST method for this action, which non-malicious bots would not make. One example of this occurring in practice was during the short-lived
Google Web Accelerator beta, which prefetched arbitrary URLs on the page a user was viewing, causing records to be automatically altered or deleted
en masse. The beta was suspended only weeks after its first release, following widespread criticism.
Idempotent method A request method is
idempotent if multiple identical requests with that method have the same effect as a single such request. The methods PUT and DELETE, and safe methods are defined as idempotent. Safe methods are trivially idempotent, since they are intended to have no effect on the server whatsoever; the PUT and DELETE methods, meanwhile, are idempotent since successive identical requests will be ignored. A website might, for instance, set up a PUT endpoint to modify a user's recorded email address. If this endpoint is configured correctly, any requests which ask to change a user's email address to the same email address which is already recorded—e.g. duplicate requests following a successful request—will have no effect. Similarly, a request to DELETE a certain user will have no effect if that user has already been deleted. In contrast, the methods POST, CONNECT, and PATCH are not necessarily idempotent, and therefore sending an identical POST request multiple times may further modify the state of the server or have further effects, such as sending multiple
emails. In some cases this is the desired effect, but in other cases it may occur accidentally. A user might, for example, inadvertently send multiple POST requests by clicking a button again if they were not given clear feedback that the first click was being processed. While
web browsers may show
alert dialog boxes to warn users in some cases where reloading a page may re-submit a POST request, it is generally up to the web application to handle cases where a POST request should not be submitted more than once. Note that whether or not a method is idempotent is not enforced by the protocol or web server. It is perfectly possible to write a web application in which (for example) a database insert or other non-idempotent action is triggered by a GET or other request. To do so against recommendations, however, may result in undesirable consequences, if a user agent assumes that repeating the same request is safe when it is not.
Cacheable method A request method is
cacheable if responses to requests with that method may be stored for future reuse. The methods GET, HEAD, and POST are defined as cacheable. In contrast, the methods PUT, DELETE, CONNECT, OPTIONS, TRACE, and PATCH are not cacheable.
Response A response is sent to the client by the server. The start line of a response consists of the protocol version, a status code and optionally a reason phrase with fields separated by a single space character. The following response start line specifies protocol version , status code and reason phrase . HTTP/1.1 400 Bad Request
Response header fields allow the server to pass additional information beyond the status line, acting as response modifiers. They give information about the server or about further access to the target resource or related resources. Each response header field has a defined meaning which can be further refined by the semantics of the request method or response status code.
Status code The status code is a three-digit, decimal, integer value that represents the disposition of the server's attempt to satisfy the client's request. Generally, a client handles a response primarily based on the status code and secondarily on response header fields. A client may not understand each status code that a server reports but it must understand the class as indicated by the first digit and treat an unrecognized code as equivalent to the x00 code of that class. The classes are as follows: ; 1XX informational: The request was received, continuing process. ; 2XX successful: The request was successfully received, understood, and accepted. ; 3XX redirection: Further action needs to be taken in order to complete the request. ; 4XX client error: The request cannot be fulfilled due to an issue that the client might be able to control. ; 5XX server error: The server failed to fulfill an apparently valid request.
Reason phrase The standard reason phrases are only recommendations. A web server is allowed to use a localized equivalent. If a status code indicates a problem, the user agent might display the reason phrase to the user to provide further information about the nature of the problem. The standard also allows the user agent to attempt to interpret the reason phrase, though this might be unwise since the standard explicitly specifies that status codes are machine-readable and reason phrases are
human-readable.
Example The following demonstrates an HTTP/1.1 request-response transaction for a server at
www.example.com, port 80. HTTP/1.0 would use the same messages except for a few missing headers. HTTP/2 and HTTP/3 would use the same request-response mechanism but with different representations for HTTP headers. The following is a request with no body. It consists of a start line, 6 header fields and a blank line each terminated with a
carriage return and
line feed sequence. The Host header field distinguishes between various
DNS names sharing a single
IP address, allowing name-based
virtual hosting. While optional in HTTP/1.0, it is mandatory in HTTP/1.1. GET / HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Although not clear in the representation above (due to limitations of this wiki), the blank line at the end results in ending in two line terminator sequences. Represented as a stream of characters, a shorted version of above shows this more clearly with representing a line terminator sequence: GET / HTTP/1.1Host: www.example.com. In the following response, the
ETag (entity tag) header field is used to determine if a cached version of the requested resource is identical to the current version of the resource on the server. The Content-Type header field specifies the
Internet media type of the data conveyed by the HTTP message, and Content-Length indicates its length in bytes. The HTTP/1.1
webserver publishes its ability to respond to requests for a byte range of the resource by including Accept-Ranges: bytes. This is useful, if the client needs to have only certain portions of a resource sent by the server, which is called
byte serving. When Connection: close is sent, it means that the
web server will close the
TCP connection immediately after the end of the transfer of this response. Most of the header fields are optional but some are mandatory. When header Content-Length is missing from a response with a body, then this should be considered an error in HTTP/1.0 but it may not be an error in HTTP/1.1 if header Transfer-Encoding: chunked is present. Chunked transfer encoding uses a chunk size of 0 to mark the end of the content. Some old implementations of HTTP/1.0 omitted the header Content-Length when the length of the body was not known at the beginning of the response and so the transfer of data to client continued until server closed the socket. Content-Encoding: gzip informs the client that the body is compressed per the
gzip algorithm. HTTP/1.1 200 OK Date: Mon, 23 May 2005 22:38:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 155 Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) ETag: "3f80f-1b6-3e1cb03b" Accept-Ranges: bytes Connection: close An Example Page Hello World, this is a very simple HTML document. == Similar protocols ==