Internet Engineering Task Force (IETF)
R. Fielding, Ed.
Request for Comments: 7230
Obsoletes: ,
J. Reschke, Ed.
Updates: ,
greenbytes
Category: Standards Track
Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
The Hypertext Transfer Protocol (HTTP) is a stateless application-
level protocol for distributed, collaborative, hypertext information
This document provides an overview of HTTP architecture and
its associated terminology, defines the "http" and "https" Uniform
Resource Identifier (URI) schemes, defines the HTTP/1.1 message
syntax and parsing requirements, and describes related security
concerns for implementations.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
It represents the consensus of the IETF community.
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG).
Further information on
Internet Standards is available in .
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors.
All rights reserved.
This document is subject to
and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document.
Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
. Introduction ....................................................
. Requirements Notation ......................................
. Syntax Notation ............................................
. Architecture ....................................................
. Client/Server Messaging ....................................
. Implementation Diversity ...................................
. Intermediaries .............................................
. Caches ....................................................
. Conformance and Error Handling ............................
. Protocol Versioning .......................................
. Uniform Resource Identifiers ..............................
. http URI Scheme ....................................
. https URI Scheme ...................................
. http and https URI Normalization and Comparison ....
. Message Format .................................................
. Start Line ................................................
. Request Line .......................................
. Status Line ........................................
. Header Fields .............................................
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
. Field Extensibility ................................
. Field Order ........................................
. Whitespace .........................................
. Field Parsing ......................................
. Field Limits .......................................
. Field Value Components .............................
. Message Body ..............................................
. Transfer-Encoding ..................................
. Content-Length .....................................
. Message Body Length ................................
. Handling Incomplete Messages ..............................
. Message Parsing Robustness ................................
. Transfer Codings ...............................................
. Chunked Transfer Coding ...................................
. Chunk Extensions ...................................
. Chunked Trailer Part ...............................
. Decoding Chunked ...................................
. Compression Codings .......................................
. Compress Coding ....................................
. Deflate Coding .....................................
. Gzip Coding ........................................
. TE ........................................................
. Trailer ...................................................
. Message Routing ................................................
. Identifying a Target Resource .............................
. Connecting Inbound ........................................
. Request Target ............................................
. origin-form ........................................
. absolute-form ......................................
. authority-form .....................................
. asterisk-form ......................................
. Host ......................................................
. Effective Request URI .....................................
. Associating a Response to a Request .......................
. Message Forwarding ........................................
. Via ................................................
. Transformations ....................................
. Connection Management ..........................................
. Connection ................................................
. Establishment .............................................
. Persistence ...............................................
. Retrying Requests ..................................
. Pipelining .........................................
. Concurrency ...............................................
. Failures and Timeouts .....................................
. Tear-down .................................................
. Upgrade ...................................................
. ABNF List Extension: #rule .....................................
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
. IANA Considerations ............................................
. Header Field Registration .................................
. URI Scheme Registration ...................................
. Internet Media Type Registration ..........................
. Internet Media Type message/http ...................
. Internet Media Type application/http ...............
. Transfer Coding Registry ..................................
. Procedure ..........................................
. Registration .......................................
. Content Coding Registration ...............................
. Upgrade Token Registry ....................................
. Procedure ..........................................
. Upgrade Token Registration .........................
. Security Considerations ........................................
. Establishing Authority ....................................
. Risks of Intermediaries ...................................
. Attacks via Protocol Element Length .......................
. Response Splitting ........................................
. Request Smuggling .........................................
. Message Integrity .........................................
. Message Confidentiality ...................................
. Privacy of Server Log Information .........................
. Acknowledgments ...............................................
. References ....................................................
. Normative References .....................................
. Informative References ...................................
. HTTP Version History ..................................
. Changes from HTTP/1.0
....................................
Multihomed Web Servers ............................
Keep-Alive Connections ............................
Introduction of Transfer-Encoding .................
Changes from
....................................
. Collected ABNF ........................................
Index .............................................................
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
Introduction
The Hypertext Transfer Protocol (HTTP) is a stateless application-
level request/response protocol that uses extensible semantics and
self-descriptive message payloads for flexible interaction with
network-based hypertext information systems.
This document is the
first in a series of documents that collectively form the HTTP/1.1
specification:
"Message Syntax and Routing" (this document)
"Semantics and Content" []
"Conditional Requests" []
"Range Requests" []
"Caching" []
"Authentication" []
This HTTP/1.1 specification obsoletes
versioning).
This specification also updates the use of CONNECT to
establish a tunnel, previously defined in , and defines the
"https" URI scheme that was described informally in .
HTTP is a generic interface protocol for information systems.
designed to hide the details of how a service is implemented by
presenting a uniform interface to clients that is independent of the
types of resources provided.
Likewise, servers do not need to be
aware of each client's purpose: an HTTP request can be considered in
isolation rather than being associated with a specific type of client
or a predetermined sequence of application steps.
The result is a
protocol that can be used effectively in many different contexts and
for which implementations can evolve independently over time.
HTTP is also designed for use as an intermediation protocol for
translating communication to and from non-HTTP information systems.
HTTP proxies and gateways can provide access to alternative
information services by translating their diverse protocols into a
hypertext format that can be viewed and manipulated by clients in the
same way as HTTP services.
One consequence of this flexibility is that the protocol cannot be
defined in terms of what occurs behind the interface.
Instead, we
are limited to defining the syntax of communication, the intent of
received communication, and the expected behavior of recipients.
the communication is considered in isolation, then successful actions
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
ought to be reflected in corresponding changes to the observable
interface provided by servers.
However, since multiple clients might
act in parallel and perhaps at cross-purposes, we cannot require that
such changes be observable beyond the scope of a single response.
This document describes the architectural elements that are used or
referred to in HTTP, defines the "http" and "https" URI schemes,
describes overall network operation and connection management, and
defines HTTP message framing and forwarding requirements.
is to define all of the mechanisms necessary for HTTP message
handling that are independent of message semantics, thereby defining
the complete set of requirements for message parsers and message-
forwarding intermediaries.
Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [].
Conformance criteria and considerations regarding error handling are
defined in .
Syntax Notation
This specification uses the Augmented Backus-Naur Form (ABNF)
notation of [] with a list extension, defined in ,
that allows for compact definition of comma-separated lists using a
'#' operator (similar to how the '*' operator indicates repetition).
shows the collected grammar with all list operators
expanded to standard ABNF notation.
The following core rules are included by reference, as defined in
: ALPHA (letters), CR (carriage return), CRLF
(CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double quote),
HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF (line
feed), OCTET (any 8-bit sequence of data), SP (space), and VCHAR (any
visible [] character).
As a convention, ABNF rule names prefixed with "obs-" denote
"obsolete" grammar rules that appear for historical reasons.
Architecture
HTTP was created for the World Wide Web (WWW) architecture and has
evolved over time to support the scalability needs of a worldwide
hypertext system.
Much of that architecture is reflected in the
terminology and syntax productions used to define HTTP.
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
Client/Server Messaging
HTTP is a stateless request/response protocol that operates by
exchanging messages () across a reliable transport- or
session-layer "connection" ().
An HTTP "client" is a
program that establishes a connection to a server for the purpose of
sending one or more HTTP requests.
An HTTP "server" is a program
that accepts connections in order to service HTTP requests by sending
HTTP responses.
The terms "client" and "server" refer only to the roles that these
programs perform for a particular connection.
The same program might
act as a client on some connections and a server on others.
"user agent" refers to any of the various client programs that
initiate a request, including (but not limited to) browsers, spiders
(web-based robots), command-line tools, custom applications, and
mobile apps.
The term "origin server" refers to the program that can
originate authoritative responses for a given target resource.
terms "sender" and "recipient" refer to any implementation that sends
or receives a given message, respectively.
HTTP relies upon the Uniform Resource Identifier (URI) standard
[] to indicate the target resource () and
relationships between resources.
Messages are passed in a format
similar to that used by Internet mail [] and the Multipurpose
Internet Mail Extensions (MIME) [] (see
for the differences between HTTP and MIME messages).
Most HTTP communication consists of a retrieval request (GET) for a
representation of some resource identified by a URI.
In the simplest
case, this might be accomplished via a single bidirectional
connection (===) between the user agent (UA) and the origin
server (O).
UA ======================================= O
A client sends an HTTP request to a server in the form of a request
message, beginning with a request-line that includes a method, URI,
and protocol version (), followed by header fields
containing request modifiers, client information, and representation
metadata (), an empty line to indicate the end of the
header section, and finally a message body containing the payload
body (if any, ).
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
A server responds to a client's request by sending one or more HTTP
response messages, each beginning with a status line that includes
the protocol version, a success or error code, and textual reason
phrase (), possibly followed by header fields containing
server information, resource metadata, and representation metadata
(), an empty line to indicate the end of the header
section, and finally a message body containing the payload body (if
A connection might be used for multiple request/response exchanges,
as defined in .
The following example illustrates a typical message exchange for a
GET request () on the URI
"http://www.example.com/hello.txt":
Client request:
GET /hello.txt HTTP/1.1
User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3
Host: www.example.com
Accept-Language: en, mi
Server response:
HTTP/1.1 200 OK
Date: Mon, 27 Jul :53 GMT
Server: Apache
Last-Modified: Wed, 22 Jul :56 GMT
ETag: "34aa387-d-1568eb00"
Accept-Ranges: bytes
Content-Length: 51
Vary: Accept-Encoding
Content-Type: text/plain
Hello World! My payload includes a trailing CRLF.
Implementation Diversity
When considering the design of HTTP, it is easy to fall into a trap
of thinking that all user agents are general-purpose browsers and all
origin servers are large public websites.
That is not the case in
Common HTTP user agents include household appliances,
stereos, scales, firmware update scripts, command-line programs,
mobile apps, and communication devices in a multitude of shapes and
Likewise, common HTTP origin servers include home automation
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
units, configurable networking components, office machines,
autonomous robots, news feeds, traffic cameras, ad selectors, and
video-delivery platforms.
The term "user agent" does not imply that there is a human user
directly interacting with the software agent at the time of a
In many cases, a user agent is installed or configured to
run in the background and save its results for later inspection (or
save only a subset of those results that might be interesting or
erroneous).
Spiders, for example, are typically given a start URI
and configured to follow certain behavior while crawling the Web as a
hypertext graph.
The implementation diversity of HTTP means that not all user agents
can make interactive suggestions to their user or provide adequate
warning for security or privacy concerns.
In the few cases where
this specification requires reporting of errors to the user, it is
acceptable for such reporting to only be observable in an error
console or log file.
Likewise, requirements that an automated action
be confirmed by the user before proceeding might be met via advance
configuration choices, run-time options, or simple avoidance of the
confirmation does not imply any specific user
interface or interruption of normal processing if the user has
already made that choice.
Intermediaries
HTTP enables the use of intermediaries to satisfy requests through a
chain of connections.
There are three common forms of HTTP
intermediary: proxy, gateway, and tunnel.
In some cases, a single
intermediary might act as an origin server, proxy, gateway, or
tunnel, switching behavior based on the nature of each request.
UA =========== A =========== B =========== C =========== O
The figure above shows three intermediaries (A, B, and C) between the
user agent and origin server.
A request or response message that
travels the whole chain will pass through four separate connections.
Some HTTP communication options might apply only to the connection
with the nearest, non-tunnel neighbor, only to the endpoints of the
chain, or to all connections along the chain.
Although the diagram
is linear, each participant might be engaged in multiple,
simultaneous communications.
For example, B might be receiving
requests from many clients other than A, and/or forwarding requests
to servers other than C, at the same time that it is handling A's
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
Likewise, later requests might be sent through a different
path of connections, often based on dynamic configuration for load
balancing.
The terms "upstream" and "downstream" are used to describe
directional requirements in relation to the message flow: all
messages flow from upstream to downstream.
The terms "inbound" and
"outbound" are used to describe directional requirements in relation
to the request route: "inbound" means toward the origin server and
"outbound" means toward the user agent.
A "proxy" is a message-forwarding agent that is selected by the
client, usually via local configuration rules, to receive requests
for some type(s) of absolute URI and attempt to satisfy those
requests via translation through the HTTP interface.
translations are minimal, such as for proxy requests for "http" URIs,
whereas other requests might require translation to and from entirely
different application-level protocols.
Proxies are often used to
group an organization's HTTP requests through a common intermediary
for the sake of security, annotation services, or shared caching.
Some proxies are designed to apply transformations to selected
messages or payloads while they are being forwarded, as described in
A "gateway" (a.k.a. "reverse proxy") is an intermediary that acts as
an origin server for the outbound connection but translates received
requests and forwards them inbound to another server or servers.
Gateways are often used to encapsulate legacy or untrusted
information services, to improve server performance through
"accelerator" caching, and to enable partitioning or load balancing
of HTTP services across multiple machines.
All HTTP requirements applicable to an origin server also apply to
the outbound communication of a gateway.
A gateway communicates with
inbound servers using any protocol that it desires, including private
extensions to HTTP that are outside the scope of this specification.
However, an HTTP-to-HTTP gateway that wishes to interoperate with
third-party HTTP servers ought to conform to user agent requirements
on the gateway's inbound connection.
A "tunnel" acts as a blind relay between two connections without
changing the messages.
Once active, a tunnel is not considered a
party to the HTTP communication, though the tunnel might have been
initiated by an HTTP request.
A tunnel ceases to exist when both
ends of the relayed connection are closed.
Tunnels are used to
extend a virtual connection through an intermediary, such as when
Transport Layer Security (TLS, []) is used to establish
confidential communication through a shared firewall proxy.
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
The above categories for intermediary only consider those acting as
participants in the HTTP communication.
There are also
intermediaries that can act on lower layers of the network protocol
stack, filtering or redirecting HTTP traffic without the knowledge or
permission of message senders.
Network intermediaries are
indistinguishable (at a protocol level) from a man-in-the-middle
attack, often introducing security flaws or interoperability problems
due to mistakenly violating HTTP semantics.
For example, an "interception proxy" [] (also commonly known
as a "transparent proxy" [] or "captive portal") differs from
an HTTP proxy because it is not selected by the client.
Instead, an
interception proxy filters or redirects outgoing TCP port 80 packets
(and occasionally other common port traffic).
Interception proxies
are commonly found on public network access points, as a means of
enforcing account subscription prior to allowing use of non-local
Internet services, and within corporate firewalls to enforce network
usage policies.
HTTP is defined as a stateless protocol, meaning that each request
message can be understood in isolation.
Many implementations depend
on HTTP's stateless design in order to reuse proxied connections or
dynamically load balance requests across multiple servers.
server MUST NOT assume that two requests on the same connection are
from the same user agent unless the connection is secured and
specific to that agent.
Some non-standard HTTP extensions (e.g.,
[]) have been known to violate this requirement, resulting in
security and interoperability problems.
A "cache" is a local store of previous response messages and the
subsystem that controls its message storage, retrieval, and deletion.
A cache stores cacheable responses in order to reduce the response
time and network bandwidth consumption on future, equivalent
Any client or server MAY employ a cache, though a cache
cannot be used by a server while it is acting as a tunnel.
The effect of a cache is that the request/response chain is shortened
if one of the participants along the chain has a cached response
applicable to that request.
The following illustrates the resulting
chain if B has a cached copy of an earlier response from O (via C)
for a request that has not been cached by UA or A.
UA =========== A =========== B - - - - - - C - - - - - - O
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
A response is "cacheable" if a cache is allowed to store a copy of
the response message for use in answering subsequent requests.
when a response is cacheable, there might be additional constraints
placed by the client or by the origin server on when that cached
response can be used for a particular request.
HTTP requirements for
cache behavior and cacheable responses are defined in .
There is a wide variety of architectures and configurations of caches
deployed across the World Wide Web and inside large organizations.
These include national hierarchies of proxy caches to save
transoceanic bandwidth, collaborative systems that broadcast or
multicast cache entries, archives of pre-fetched cache entries for
use in off-line or high-latency environments, and so on.
Conformance and Error Handling
This specification targets conformance criteria according to the role
of a participant in HTTP communication.
Hence, HTTP requirements are
placed on senders, recipients, clients, servers, user agents,
intermediaries, origin servers, proxies, gateways, or caches,
depending on what behavior is being constrained by the requirement.
Additional (social) requirements are placed on implementations,
resource owners, and protocol element registrations when they apply
beyond the scope of a single communication.
The verb "generate" is used instead of "send" where a requirement
differentiates between creating a protocol element and merely
forwarding a received element downstream.
An implementation is considered conformant if it complies with all of
the requirements associated with the roles it partakes in HTTP.
Conformance includes both the syntax and semantics of protocol
A sender MUST NOT generate protocol elements that convey a
meaning that is known by that sender to be false.
A sender MUST NOT
generate protocol elements that do not match the grammar defined by
the corresponding ABNF rules.
Within a given message, a sender MUST
NOT generate protocol elements or syntax alternatives that are only
allowed to be generated by participants in other roles (i.e., a role
that the sender does not have for that message).
When a received protocol element is parsed, the recipient MUST be
able to parse any value of reasonable length that is applicable to
the recipient's role and that matches the grammar defined by the
corresponding ABNF rules.
Note, however, that some received protocol
elements might not be parsed.
For example, an intermediary
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
forwarding a message might parse a header-field into generic
field-name and field-value components, but then forward the header
field without further parsing inside the field-value.
HTTP does not have specific length limitations for many of its
protocol elements because the lengths that might be appropriate will
vary widely, depending on the deployment context and purpose of the
implementation.
Hence, interoperability between senders and
recipients depends on shared expectations regarding what is a
reasonable length for each protocol element.
Furthermore, what is
commonly understood to be a reasonable length for some protocol
elements has changed over the course of the past two decades of HTTP
use and is expected to continue changing in the future.
At a minimum, a recipient MUST be able to parse and process protocol
element lengths that are at least as long as the values that it
generates for those same protocol elements in other messages.
example, an origin server that publishes very long URI references to
its own resources needs to be able to parse and process those same
references when received as a request target.
A recipient MUST interpret a received protocol element according to
the semantics defined for it by this specification, including
extensions to this specification, unless the recipient has determined
(through experience or configuration) that the sender incorrectly
implements what is implied by those semantics.
For example, an
origin server might disregard the contents of a received
Accept-Encoding header field if inspection of the User-Agent header
field indicates a specific implementation version that is known to
fail on receipt of certain content codings.
Unless noted otherwise, a recipient MAY attempt to recover a usable
protocol element from an invalid construct.
HTTP does not define
specific error handling mechanisms except when they have a direct
impact on security, since different applications of the protocol
require different error handling strategies.
For example, a Web
browser might wish to transparently recover from a response where the
Location header field doesn't parse according to the ABNF, whereas a
systems control client might consider any form of error recovery to
be dangerous.
Protocol Versioning
HTTP uses a "&major&.&minor&" numbering scheme to indicate versions
of the protocol.
This specification defines version "1.1".
protocol version as a whole indicates the sender's conformance with
the set of requirements laid out in that version's corresponding
specification of HTTP.
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
The version of an HTTP message is indicated by an HTTP-version field
in the first line of the message.
HTTP-version is case-sensitive.
HTTP-version
= HTTP-name "/" DIGIT "." DIGIT
= %x48.54.54.50 ; "HTTP", case-sensitive
The HTTP version number consists of two decimal digits separated by a
"." (period or decimal point).
The first digit ("major version")
indicates the HTTP messaging syntax, whereas the second digit ("minor
version") indicates the highest minor version within that major
version to which the sender is conformant and able to understand for
future communication.
The minor version advertises the sender's
communication capabilities even when the sender is only using a
backwards-compatible subset of the protocol, thereby letting the
recipient know that more advanced features can be used in response
(by servers) or in future requests (by clients).
When an HTTP/1.1 message is sent to an HTTP/1.0 recipient []
or a recipient whose version is unknown, the HTTP/1.1 message is
constructed such that it can be interpreted as a valid HTTP/1.0
message if all of the newer features are ignored.
This specification
places recipient-version requirements on some new features so that a
conformant sender will only use compatible features until it has
determined, through configuration or the receipt of a message, that
the recipient supports HTTP/1.1.
The interpretation of a header field does not change between minor
versions of the same major HTTP version, though the default behavior
of a recipient in the absence of such a field can change.
specified otherwise, header fields defined in HTTP/1.1 are defined
for all versions of HTTP/1.x.
In particular, the Host and Connection
header fields ought to be implemented by all HTTP/1.x implementations
whether or not they advertise conformance with HTTP/1.1.
New header fields can be introduced without changing the protocol
version if their defined semantics allow them to be safely ignored by
recipients that do not recognize them.
Header field extensibility is
discussed in .
Intermediaries that process HTTP messages (i.e., all intermediaries
other than those acting as tunnels) MUST send their own HTTP-version
in forwarded messages.
In other words, they are not allowed to
blindly forward the first line of an HTTP message without ensuring
that the protocol version in that message matches a version to which
that intermediary is conformant for both the receiving and sending of
Forwarding an HTTP message without rewriting the
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
HTTP-version might result in communication errors when downstream
recipients use the message sender's version to determine what
features are safe to use for later communication with that sender.
A client SHOULD send a request version equal to the highest version
to which the client is conformant and whose major version is no
higher than the highest version supported by the server, if this is
A client MUST NOT send a version to which it is not
conformant.
A client MAY send a lower request version if it is known that the
server incorrectly implements the HTTP specification, but only after
the client has attempted at least one normal request and determined
from the response status code or header fields (e.g., Server) that
the server improperly handles higher request versions.
A server SHOULD send a response version equal to the highest version
to which the server is conformant that has a major version less than
or equal to the one received in the request.
A server MUST NOT send
a version to which it is not conformant.
A server can send a 505
(HTTP Version Not Supported) response if it wishes, for any reason,
to refuse service of the client's major protocol version.
A server MAY send an HTTP/1.0 response to a request if it is known or
suspected that the client incorrectly implements the HTTP
specification and is incapable of correctly processing later version
responses, such as when a client fails to parse the version number
correctly or when an intermediary is known to blindly forward the
HTTP-version even when it doesn't conform to the given minor version
of the protocol.
Such protocol downgrades SHOULD NOT be performed
unless triggered by specific client attributes, such as when one or
more of the request header fields (e.g., User-Agent) uniquely match
the values sent by a client known to be in error.
The intention of HTTP's versioning design is that the major number
will only be incremented if an incompatible message syntax is
introduced, and that the minor number will only be incremented when
changes made to the protocol have the effect of adding to the message
semantics or implying additional capabilities of the sender.
However, the minor version was not incremented for the changes
introduced between [] and [], and this revision has
specifically avoided any such changes to the protocol.
When an HTTP message is received with a major version number that the
recipient implements, but a higher minor version number than what the
recipient implements, the recipient SHOULD process the message as if
it were in the highest minor version within that major version to
which the recipient is conformant.
A recipient can assume that a
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
message with a higher minor version, when sent to a recipient that
has not yet indicated support for that higher version, is
sufficiently backwards-compatible to be safely processed by any
implementation of the same major version.
Uniform Resource Identifiers
Uniform Resource Identifiers (URIs) [] are used throughout
HTTP as the means for identifying resources ().
URI references are used to target requests, indicate redirects, and
define relationships.
The definitions of "URI-reference", "absolute-URI", "relative-part",
"scheme", "authority", "port", "host", "path-abempty", "segment",
"query", and "fragment" are adopted from the URI generic syntax.
"absolute-path" rule is defined for protocol elements that can
contain a non-empty path component.
(This rule differs slightly from
the path-abempty rule of , which allows for an empty path to
be used in references, and path-absolute rule, which does not allow
paths that begin with "//".)
A "partial-URI" rule is defined for
protocol elements that can contain a relative URI but not a fragment
component.
URI-reference = &URI-reference, see &
absolute-URI
= &absolute-URI, see &
relative-part = &relative-part, see &
= &scheme, see &
= &authority, see &
= &host, see &
= &port, see &
path-abempty
= &path-abempty, see &
= &segment, see &
= &query, see &
= &fragment, see &
absolute-path = 1*( "/" segment )
partial-URI
= relative-part [ "?" query ]
Each protocol element in HTTP that allows a URI reference will
indicate in its ABNF production whether the element allows any form
of reference (URI-reference), only a URI in absolute form
(absolute-URI), only the path and optional query components, or some
combination of the above.
Unless otherwise indicated, URI references
are parsed relative to the effective request URI ().
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
http URI Scheme
The "http" URI scheme is hereby defined for the purpose of minting
identifiers according to their association with the hierarchical
namespace governed by a potential HTTP origin server listening for
TCP ([]) connections on a given port.
http-URI = "http:" "//" authority path-abempty [ "?" query ]
[ "#" fragment ]
The origin server for an "http" URI is identified by the authority
component, which includes a host identifier and optional TCP port
The hierarchical path component and
optional query component serve as an identifier for a potential
target resource within that origin server's name space.
The optional
fragment component allows for indirect identification of a secondary
resource, independent of the URI scheme, as defined in .
A sender MUST NOT generate an "http" URI with an empty host
identifier.
A recipient that processes such a URI reference MUST
reject it as invalid.
If the host identifier is provided as an IP address, the origin
server is the listener (if any) on the indicated TCP port at that IP
If host is a registered name, the registered name is an
indirect identifier for use with a name resolution service, such as
DNS, to find an address for that origin server.
If the port
subcomponent is empty or not given, TCP port 80 (the reserved port
for WWW services) is the default.
Note that the presence of a URI with a given authority component does
not imply that there is always an HTTP server listening for
connections on that host and port.
Anyone can mint a URI.
authority component determines is who has the right to respond
authoritatively to requests that target the identified resource.
delegated nature of registered names and IP addresses creates a
federated namespace, based on control over the indicated host and
port, whether or not an HTTP server is present.
security considerations related to establishing authority.
When an "http" URI is used within a context that calls for access to
the indicated resource, a client MAY attempt access by resolving the
host to an IP address, establishing a TCP connection to that address
on the indicated port, and sending an HTTP request message
() containing the URI's identifying data () to the
If the server responds to that request with a non-interim
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
HTTP response message, as described in , then
that response is considered an authoritative answer to the client's
Although HTTP is independent of the transport protocol, the "http"
scheme is specific to TCP-based services because the name delegation
process depends on TCP for establishing authority.
An HTTP service
based on some other underlying connection protocol would presumably
be identified using a different URI scheme, just as the "https"
scheme (below) is used for resources that require an end-to-end
secured connection.
Other protocols might also be used to provide
access to "http" identified resources -- it is only the authoritative
interface that is specific to TCP.
The URI generic syntax for authority also includes a deprecated
userinfo subcomponent () for including user
authentication information in the URI.
Some implementations make use
of the userinfo component for internal configuration of
authentication information, such as within command invocation
options, configuration files, or bookmark lists, even though such
usage might expose a user identifier or password.
A sender MUST NOT
generate the userinfo subcomponent (and its "@" delimiter) when an
"http" URI reference is generated within a message as a request
target or header field value.
Before making use of an "http" URI
reference received from an untrusted source, a recipient SHOULD parse
for userinfo and treat its
it is likely being
used to obscure the authority for the sake of phishing attacks.
https URI Scheme
The "https" URI scheme is hereby defined for the purpose of minting
identifiers according to their association with the hierarchical
namespace governed by a potential HTTP origin server listening to a
given TCP port for TLS-secured connections ([]).
All of the requirements listed above for the "http" scheme are also
requirements for the "https" scheme, except that TCP port 443 is the
default if the port subcomponent is empty or not given, and the user
agent MUST ensure that its connection to the origin server is secured
through the use of strong encryption, end-to-end, prior to sending
the first HTTP request.
https-URI = "https:" "//" authority path-abempty [ "?" query ]
[ "#" fragment ]
Note that the "https" URI scheme depends on both TLS and TCP for
establishing authority.
Resources made available via the "https"
scheme have no shared identity with the "http" scheme even if their
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
resource identifiers indicate the same authority (the same host
listening to the same TCP port).
They are distinct namespaces and
are considered to be distinct origin servers.
However, an extension
to HTTP that is defined to apply to entire host domains, such as the
Cookie protocol [], can allow information set by one service
to impact communication with other services within a matching group
of host domains.
The process for authoritative access to an "https" identified
resource is defined in [].
http and https URI Normalization and Comparison
Since the "http" and "https" schemes conform to the URI generic
syntax, such URIs are normalized and compared according to the
algorithm defined in , using the defaults
described above for each scheme.
If the port is equal to the default port for a scheme, the normal
form is to omit the port subcomponent.
When not being used in
absolute form as the request target of an OPTIONS request, an empty
path component is equivalent to an absolute path of "/", so the
normal form is to provide a path of "/" instead.
The scheme and host
are case-insensitive and normally p all other
components are compared in a case-sensitive manner.
Characters other
than those in the "reserved" set are equivalent to their
percent-encoded octets: the normal form is to not encode them (see
For example, the following three URIs are equivalent:
http://EXAMPLE.com/%7Esmith/home.html
Message Format
All HTTP/1.1 messages consist of a start-line followed by a sequence
of octets in a format similar to the Internet Message Format
[]: zero or more header fields (collectively referred to as
the "headers" or the "header section"), an empty line indicating the
end of the header section, and an optional message body.
HTTP-message
= start-line
*( header-field CRLF )
[ message-body ]
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
The normal procedure for parsing an HTTP message is to read the
start-line into a structure, read each header field into a hash table
by field name until the empty line, and then use the parsed data to
determine if a message body is expected.
If a message body has been
indicated, then it is read as a stream until an amount of octets
equal to the message body length is read or the connection is closed.
A recipient MUST parse an HTTP message as a sequence of octets in an
encoding that is a superset of US-ASCII [].
Parsing an HTTP
message as a stream of Unicode characters, without regard for the
specific encoding, creates security vulnerabilities due to the
varying ways that string processing libraries handle invalid
multibyte character sequences that contain the octet LF (%x0A).
String-based parsers can only be safely used within protocol elements
after the element has been extracted from the message, such as within
a header field-value after message parsing has delineated the
individual fields.
An HTTP message can be parsed as a stream for incremental processing
or forwarding downstream.
However, recipients cannot rely on
incremental delivery of partial messages, since some implementations
will buffer or delay message forwarding for the sake of network
efficiency, security checks, or payload transformations.
A sender MUST NOT send whitespace between the start-line and the
first header field.
A recipient that receives whitespace between the
start-line and the first header field MUST either reject the message
as invalid or consume each whitespace-preceded line without further
processing of it (i.e., ignore the entire line, along with any
subsequent lines preceded by whitespace, until a properly formed
header field is received or the header section is terminated).
The presence of such whitespace in a request might be an attempt to
trick a server into ignoring that field or processing the line after
it as a new request, either of which might result in a security
vulnerability if other implementations within the request chain
interpret the same message differently.
Likewise, the presence of
such whitespace in a response might be ignored by some clients or
cause others to cease parsing.
Start Line
An HTTP message can be either a request from client to server or a
response from server to client.
Syntactically, the two types of
message differ only in the start-line, which is either a request-line
(for requests) or a status-line (for responses), and in the algorithm
for determining the length of the message body ().
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
In theory, a client could receive requests and a server could receive
responses, distinguishing them by their different start-line formats,
but, in practice, servers are implemented to only expect a request (a
response is interpreted as an unknown or invalid request method) and
clients are implemented to only expect a response.
start-line
= request-line / status-line
Request Line
A request-line begins with a method token, followed by a single space
(SP), the request-target, another single space (SP), the protocol
version, and ends with CRLF.
request-line
= method SP request-target SP HTTP-version CRLF
The method token indicates the request method to be performed on the
target resource.
The request method is case-sensitive.
The request methods defined by this specification can be found in
, along with information regarding the HTTP
method registry and considerations for defining new methods.
The request-target identifies the target resource upon which to apply
the request, as defined in .
Recipients typically parse the request-line into its component parts
by splitting on whitespace (see ), since no whitespace is
allowed in the three components.
Unfortunately, some user agents
fail to properly encode or exclude whitespace found in hypertext
references, resulting in those disallowed characters being sent in a
request-target.
Recipients of an invalid request-line SHOULD respond with either a
400 (Bad Request) error or a 301 (Moved Permanently) redirect with
the request-target properly encoded.
A recipient SHOULD NOT attempt
to autocorrect and then process the request without a redirect, since
the invalid request-line might be deliberately crafted to bypass
security filters along the request chain.
HTTP does not place a predefined limit on the length of a
request-line, as described in .
A server that receives a
method longer than any that it implements SHOULD respond with a 501
(Not Implemented) status code.
A server that receives a
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
request-target longer than any URI it wishes to parse MUST respond
with a 414 (URI Too Long) status code (see ).
Various ad hoc limitations on request-line length are found in
It is RECOMMENDED that all HTTP senders and recipients
support, at a minimum, request-line lengths of 8000 octets.
Status Line
The first line of a response message is the status-line, consisting
of the protocol version, a space (SP), the status code, another
space, a possibly empty textual phrase describing the status code,
and ending with CRLF.
status-line = HTTP-version SP status-code SP reason-phrase CRLF
The status-code element is a 3-digit integer code describing the
result of the server's attempt to understand and satisfy the client's
corresponding request.
The rest of the response message is to be
interpreted in light of the semantics defined for that status code.
for information about the semantics of
status codes, including the classes of status code (indicated by the
first digit), the status codes defined by this specification,
considerations for the definition of new status codes, and the IANA
status-code
The reason-phrase element exists for the sole purpose of providing a
textual description associated with the numeric status code, mostly
out of deference to earlier Internet application protocols that were
more frequently used with interactive text clients.
A client SHOULD
ignore the reason-phrase content.
reason-phrase
= *( HTAB / SP / VCHAR / obs-text )
Header Fields
Each header field consists of a case-insensitive field name followed
by a colon (":"), optional leading whitespace, the field value, and
optional trailing whitespace.
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
header-field
= field-name ":" OWS field-value OWS
field-name
field-value
= *( field-content / obs-fold )
field-content
= field-vchar [ 1*( SP / HTAB ) field-vchar ]
field-vchar
= VCHAR / obs-text
= CRLF 1*( SP / HTAB )
obsolete line folding
The field-name token labels the corresponding field-value as having
the semantics defined by that header field.
For example, the Date
header field is defined in
as containing
the origination timestamp for the message in which it appears.
Field Extensibility
Header fields are fully extensible: there is no limit on the
introduction of new field names, each presumably defining new
semantics, nor on the number of header fields used in a given
Existing fields are defined in each part of this
specification and in many other specifications outside this document
New header fields can be defined such that, when they are understood
by a recipient, they might override or enhance the interpretation of
previously defined header fields, define preconditions on request
evaluation, or refine the meaning of responses.
A proxy MUST forward unrecognized header fields unless the field-name
is listed in the Connection header field () or the proxy
is specifically configured to block, or otherwise transform, such
Other recipients SHOULD ignore unrecognized header fields.
These requirements allow HTTP's functionality to be enhanced without
requiring prior update of deployed intermediaries.
All defined header fields ought to be registered with IANA in the
"Message Headers" registry, as described in .
Field Order
The order in which header fields with differing field names are
received is not significant.
However, it is good practice to send
header fields that contain control data first, such as Host on
requests and Date on responses, so that implementations can decide
when not to handle a message as early as possible.
A server MUST NOT
apply a request to the target resource until the entire request
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
header section is received, since later header fields might include
conditionals, authentication credentials, or deliberately misleading
duplicate header fields that would impact request processing.
A sender MUST NOT generate multiple header fields with the same field
name in a message unless either the entire field value for that
header field is defined as a comma-separated list [i.e., #(values)]
or the header field is a well-known exception (as noted below).
A recipient MAY combine multiple header fields with the same field
name into one "field-name: field-value" pair, without changing the
semantics of the message, by appending each subsequent field value to
the combined field value in order, separated by a comma.
in which header fields with the same field name are received is
therefore significant to the interpretation of the combined field
a proxy MUST NOT change the order of these field values when
forwarding a message.
Note: In practice, the "Set-Cookie" header field ([]) often
appears multiple times in a response message and does not use the
list syntax, violating the above requirements on multiple header
fields with the same name.
Since it cannot be combined into a
single field-value, recipients ought to handle "Set-Cookie" as a
special case while processing header fields.
of [] for details.)
Whitespace
This specification uses three rules to denote the use of linear
whitespace: OWS (optional whitespace), RWS (required whitespace), and
BWS ("bad" whitespace).
The OWS rule is used where zero or more linear whitespace octets
might appear.
For protocol elements where optional whitespace is
preferred to improve readability, a sender SHOULD generate the
optional whitespace as a single SP; otherwise, a sender SHOULD NOT
generate optional whitespace except as needed to white out invalid or
unwanted protocol elements during in-place message filtering.
The RWS rule is used when at least one linear whitespace octet is
required to separate field tokens.
A sender SHOULD generate RWS as a
single SP.
The BWS rule is used where the grammar allows optional whitespace
only for historical reasons.
A sender MUST NOT generate BWS in
A recipient MUST parse for such bad whitespace and remove
it before interpreting the protocol element.
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
= *( SP / HTAB )
optional whitespace
= 1*( SP / HTAB )
required whitespace
"bad" whitespace
Field Parsing
Messages are parsed using a generic algorithm, independent of the
individual header field names.
The contents within a given field
value are not parsed until a later stage of message interpretation
(usually after the message's entire header section has been
processed).
Consequently, this specification does not use ABNF rules
to define each "Field-Name: Field Value" pair, as was done in
previous editions.
Instead, this specification uses ABNF rules that
are named according to each registered field name, wherein the rule
defines the valid grammar for that field's corresponding field values
(i.e., after the field-value has been extracted from the header
section by a generic field parser).
No whitespace is allowed between the header field-name and colon.
the past, differences in the handling of such whitespace have led to
security vulnerabilities in request routing and response handling.
server MUST reject any received request message that contains
whitespace between a header field-name and colon with a response code
of 400 (Bad Request).
A proxy MUST remove any such whitespace from a
response message before forwarding the message downstream.
A field value might be preceded and/or followed by optional
whitespace (OWS); a single SP preceding the field-value is preferred
for consistent readability by humans.
The field value does not
include any leading or trailing whitespace: OWS occurring before the
first non-whitespace octet of the field value or after the last
non-whitespace octet of the field value ought to be excluded by
parsers when extracting the field value from a header field.
Historically, HTTP header field values could be extended over
multiple lines by preceding each extra line with at least one space
or horizontal tab (obs-fold).
This specification deprecates such
line folding except within the message/http media type
A sender MUST NOT generate a message that includes
line folding (i.e., that has any field-value that contains a match to
the obs-fold rule) unless the message is intended for packaging
within the message/http media type.
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
A server that receives an obs-fold in a request message that is not
within a message/http container MUST either reject the message by
sending a 400 (Bad Request), preferably with a representation
explaining that obsolete line folding is unacceptable, or replace
each received obs-fold with one or more SP octets prior to
interpreting the field value or forwarding the message downstream.
A proxy or gateway that receives an obs-fold in a response message
that is not within a message/http container MUST either discard the
message and replace it with a 502 (Bad Gateway) response, preferably
with a representation explaining that unacceptable line folding was
received, or replace each received obs-fold with one or more SP
octets prior to interpreting the field value or forwarding the
message downstream.
A user agent that receives an obs-fold in a response message that is
not within a message/http container MUST replace each received
obs-fold with one or more SP octets prior to interpreting the field
Historically, HTTP has allowed field content with text in the
ISO-8859-1 charset [], supporting other charsets only
through use of [] encoding.
In practice, most HTTP header
field values use only a subset of the US-ASCII charset [].
Newly defined header fields SHOULD limit their field values to
US-ASCII octets.
A recipient SHOULD treat other octets in field
content (obs-text) as opaque data.
Field Limits
HTTP does not place a predefined limit on the length of each header
field or on the length of the header section as a whole, as described
Various ad hoc limitations on individual header
field length are found in practice, often depending on the specific
field semantics.
A server that receives a request header field, or set of fields,
larger than it wishes to process MUST respond with an appropriate 4xx
(Client Error) status code.
Ignoring such header fields would
increase the server's vulnerability to request smuggling attacks
A client MAY discard or truncate received header fields that are
larger than the client wishes to process if the field semantics are
such that the dropped value(s) can be safely ignored without changing
the message framing or response semantics.
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
Field Value Components
Most HTTP header field values are defined using common syntax
components (token, quoted-string, and comment) separated by
whitespace or specific delimiting characters.
Delimiters are chosen
from the set of US-ASCII visual characters not allowed in a token
(DQUOTE and "(),/:;&=&?@[\]{}").
= "!" / "#" / "$" / "%" / "&" / "'" / "*"
/ "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
/ DIGIT / ALPHA
any VCHAR, except delimiters
A string of text is parsed as a single value if it is quoted using
double-quote marks.
quoted-string
= DQUOTE *( qdtext / quoted-pair ) DQUOTE
= HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text
Comments can be included in some HTTP header fields by surrounding
the comment text with parentheses.
Comments are only allowed in
fields containing "comment" as part of their field value definition.
= "(" *( ctext / quoted-pair / comment ) ")"
= HTAB / SP / %x21-27 / %x2A-5B / %x5D-7E / obs-text
The backslash octet ("\") can be used as a single-octet quoting
mechanism within quoted-string and comment constructs.
Recipients
that process the value of a quoted-string MUST handle a quoted-pair
as if it were replaced by the octet following the backslash.
quoted-pair
= "\" ( HTAB / SP / VCHAR / obs-text )
A sender SHOULD NOT generate a quoted-pair in a quoted-string except
where necessary to quote DQUOTE and backslash octets occurring within
that string.
A sender SHOULD NOT generate a quoted-pair in a comment
except where necessary to quote parentheses ["(" and ")"] and
backslash octets occurring within that comment.
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
Message Body
The message body (if any) of an HTTP message is used to carry the
payload body of that request or response.
The message body is
identical to the payload body unless a transfer coding has been
applied, as described in .
message-body = *OCTET
The rules for when a message body is allowed in a message differ for
requests and responses.
The presence of a message body in a request is signaled by a
Content-Length or Transfer-Encoding header field.
Request message
framing is independent of method semantics, even if the method does
not define any use for a message body.
The presence of a message body in a response depends on both the
request method to which it is responding and the response status code
Responses to the HEAD request method () never include a message body because the associated
response header fields (e.g., Transfer-Encoding, Content-Length,
etc.), if present, indicate only what their values would have been if
the request method had been GET (). 2xx
(Successful) responses to a CONNECT request method () switch to tunnel mode instead of having a message body.
All 1xx (Informational), 204 (No Content), and 304 (Not Modified)
responses do not include a message body.
All other responses do
include a message body, although the body might be of zero length.
Transfer-Encoding
The Transfer-Encoding header field lists the transfer coding names
corresponding to the sequence of transfer codings that have been (or
will be) applied to the payload body in order to form the message
Transfer codings are defined in .
Transfer-Encoding = 1#transfer-coding
Transfer-Encoding is analogous to the Content-Transfer-Encoding field
of MIME, which was designed to enable safe transport of binary data
over a 7-bit transport service ().
However, safe
transport has a different focus for an 8bit-clean transfer protocol.
In HTTP's case, Transfer-Encoding is primarily intended to accurately
delimit a dynamically generated payload and to distinguish payload
encodings that are only applied for transport efficiency or security
from those that are characteristics of the selected resource.
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
A recipient MUST be able to parse the chunked transfer coding
() because it plays a crucial role in framing messages
when the payload body size is not known in advance.
A sender MUST
NOT apply chunked more than once to a message body (i.e., chunking an
already chunked message is not allowed).
If any transfer coding
other than chunked is applied to a request payload body, the sender
MUST apply chunked as the final transfer coding to ensure that the
message is properly framed.
If any transfer coding other than
chunked is applied to a response payload body, the sender MUST either
apply chunked as the final transfer coding or terminate the message
by closing the connection.
For example,
Transfer-Encoding: gzip, chunked
indicates that the payload body has been compressed using the gzip
coding and then chunked using the chunked coding while forming the
message body.
Unlike Content-Encoding (),
Transfer-Encoding is a property of the message, not of the
representation, and any recipient along the request/response chain
MAY decode the received transfer coding(s) or apply additional
transfer coding(s) to the message body, assuming that corresponding
changes are made to the Transfer-Encoding field-value.
Additional
information about the encoding parameters can be provided by other
header fields not defined by this specification.
Transfer-Encoding MAY be sent in a response to a HEAD request or in a
304 (Not Modified) response () to a GET
request, neither of which includes a message body, to indicate that
the origin server would have applied a transfer coding to the message
body if the request had been an unconditional GET.
This indication
is not required, however, because any recipient on the response chain
(including the origin server) can remove transfer codings when they
are not needed.
A server MUST NOT send a Transfer-Encoding header field in any
response with a status code of 1xx (Informational) or 204 (No
A server MUST NOT send a Transfer-Encoding header field in
any 2xx (Successful) response to a CONNECT request ().
Transfer-Encoding was added in HTTP/1.1.
It is generally assumed
that implementations advertising only HTTP/1.0 support will not
understand how to process a transfer-encoded payload.
A client MUST
NOT send a request containing Transfer-Encoding unless it knows the
Fielding & Reschke
Standards Track
HTTP/1.1 Message Syntax and Routing
server will handle HTTP/1.1 (or later) such knowledge might
be in the form of specific user configuration or by remembering the
version of a prior received response.
A server MUST NOT send a
response containing Transfer-Encoding unless the corresponding
request indicates HTTP/1.1 (or later).
A server that receives a request message with a transfer coding it
does not understand SHOULD respond with 501 (Not Implemented).
Content-Length
When a message does not have a Transfer-Encoding header field, a
Content-Length header field can provide the anticipated size, as a
decimal number of octets, for a potential payload body.
For messages
that do include a payload body, the Content-Length field-value
provides the framing information necessary for determining where the
b}