HTTP Messages

HTTP messages are how data is exchanged between a server and a client. There are two types of messages: requests sent by the client to trigger an action on the server, and responses, the answer from the server.

HTTP messages are composed of textual information encoded in ASCII, and span over multiple lines. In HTTP/1.1, and earlier versions of the protocol, these messages were openly sent across the connection. In HTTP/2, the once human-readable message is now divided up into HTTP frames, providing optimization and performance improvements.

Web developers, or webmasters, rarely craft these textual HTTP messages themselves: software, a Web browser, proxy, or Web server, perform this action. They provide HTTP messages through config files (for proxies or servers), APIs (for browsers), or other interfaces.

From a user-, script-, or server- generated event, an HTTP/1.x msg is generated, and if HTTP/2 is in use, it is binary framed into an HTTP/2 stream, then sent.

The HTTP/2 binary framing mechanism has been designed to not require any alteration of the APIs or config files applied: it is broadly transparent to the user.

HTTP requests, and responses, share similar structure and are composed of:

  1. A start-line describing the requests to be implemented, or its status of whether successful or a failure. This start-line is always a single line.
  2. An optional set of HTTP headers specifying the request, or describing the body included in the message.
  3. A blank line indicating all meta-information for the request have been sent.
  4. An optional body containing data associated with the request (like content of an HTML form), or the document associated with a response. The presence of the body and its size is specified by the start-line and HTTP headers.

The start-line and HTTP headers of the HTTP message are collectively known as the head of the requests, whereas its payload is known as the body.

Requests and responses share a common structure in HTTP

HTTP Requests

Start line

HTTP requests are messages sent by the client to initiate an action on the server. Their start-line contain three elements:

  1. An HTTP method, a verb (like GET, PUT or POST) or a noun (like HEAD or OPTIONS), that describes the action to be performed. For example, GET indicates that a resource should be fetched or POST means that data is pushed to the server (creating or modifying a resource, or generating a temporary document to send back).
  2. The request target, usually a URL, or the absolute path of the protocol, port, and domain are usually characterized by the request context. The format of this request target varies between different HTTP methods. It can be
    • An absolute path, ultimately followed by a '?' and query string. This is the most common form, known as the origin form, and is used with GET, POST, HEAD, and OPTIONS methods.
      POST / HTTP/1.1
      GET /background.png HTTP/1.0
      HEAD /test.html?query=alibaba HTTP/1.1
      OPTIONS /anypage.html HTTP/1.0
    • A complete URL, known as the absolute form, is mostly used with GET when connected to a proxy.
      GET http://developer.mozilla.org/en-US/docs/Web/HTTP/Messages HTTP/1.1
    • The authority component of a URL, consisting of the domain name and optionally the port (prefixed by a ':'), is called the authority form. It is only used with CONNECT when setting up an HTTP tunnel.
      CONNECT developer.mozilla.org:80 HTTP/1.1
    • The asterisk form, a simple asterisk ('*') is used with OPTIONS, representing the server as a whole.
      OPTIONS * HTTP/1.1
  3. The HTTP version, which defines the structure of the remaining message, acting as an indicator of the expected version to use for the response.

Headers

HTTP headers from a request follow the same basic structure of an HTTP header: a case-insensitive string followed by a colon (':') and a value whose structure depends upon the header. The whole header, including the value, consist of one single line, which can be quite long.

There are numerous request headers available. They can be divided in several groups:

  • General headers, like Via, apply to the message as a whole.
  • Request headers, like User-Agent, Accept-Type, modify the request by specifying it further (like Accept-Language), by giving context (like Referer), or by conditionally restricting it (like If-None).
  • Entity headers, like Content-Length which apply to the body of the request. Obviously, there is no such header transmitted if there is no body in the request.

Example of headers in an HTTP request

Body

The final part of the request is its body. Not all requests have one: requests fetching resources, like GET, HEAD, DELETE, or OPTIONS, usually don't need one. Some requests send data to the server in order to update it: as often the case with POST requests (containing HTML form data).

Bodies can be broadly divided into two categories:

HTTP Responses

Status line

The start line of an HTTP response, called the status line, contains the following information:

  1. The protocol version, usually HTTP/1.1.
  2. A status code, indicating success or failure of the request. Common status codes are 200, 404, or 302
  3. A status text. A brief, purely informational, textual description of the status code to help a human understand the HTTP message.

A typical status line looks like: HTTP/1.1 404 Not Found.

Headers

HTTP headers for responses follow the same structure as any other header: a case-insensitive string followed by a colon (':') and a value whose structure depends upon the type of the header. The whole header, including its value, presents as a single line.

There are numerous response headers available. These can be divided into several groups:

  • General headers, like Via, apply to the whole message.
  • Response headers, like Vary and Accept-Ranges, give additional information about the server which doesn't fit in the status line.
  • Entity headers, like Content-Length, apply to the body of the response. Typically, no such headers are transmitted when there is no body in the response.

Example of headers in an HTTP response

Body

The last part of a response is the body. Not all responses have one: responses with a status code, like 201 or 204, usually don't.

Bodies can be broadly divided into three categories:

  • Single-resource bodies, consisting of a single file of known length, defined by the two headers: Content-Type and Content-Length.
  • Single-resource bodies, consisting of a single file of unknown length, encoded by chunks with Transfer-Encoding set to chunked.
  • Multiple-resource bodies, consisting of a multipart body, each containing a different section of information. These are relatively rare.

HTTP/2 Frames

HTTP/1.x messages have a few drawbacks for performance:

  • Headers, unlike bodies, are uncompressed.
  • Headers are often very similar from one message to the next one, yet still repeated across connections.
  • No multiplexing can be done. Several connections need opening on the same server: and warm TCP connections are more efficient than cold ones.

HTTP/2 introduces an extra step: it divides HTTP/1.x messages into frames which are embedded in a stream. Data and header frames are separated, this allows header compression. Several streams can be combined together, a process called multiplexing, allowing more efficient underlying TCP connections.

HTTP/2 modify the HTTP message to divide them in frames (part of a single stream), allowing for more optimization.

HTTP frames are now transparent to Web developers. This is an additional step in HTTP/2, between HTTP/1.1 messages and the underlying transport protocol. No changes are needed in the APIs used by Web developers to utilize HTTP frames; when available in both the browser and the server, HTTP/2 is switched on and used.

Conclusion

HTTP messages are the key in using HTTP; their structure is simple, and they are highly extensible. The HTTP/2 framing mechanism adds a new intermediate layer between the HTTP/1.x syntax and the underlying transport protocol, without fundamentally modifying it: building upon proven mechanisms.

Verwandte Themen
  1. HTTP
  2. Guides:
  3. Resources and URIs
    1. Identifying resources on the Web
    2. Data URIs
    3. Introduction to MIME Types
    4. Complete list of MIME Types
    5. Choosing between www and non-www URLs
  4. HTTP guide
    1. Basics of HTTP
    2. Overview of HTTP
    3. Evolution of HTTP
    4. HTTP Messages
    5. A typical HTTP session
    6. Connection management in HTTP/1.x
    7. Protocol upgrade mechanism
  5. HTTP security
    1. Content Security Policy (CSP)
    2. HTTP Public Key Pinning (HPKP)
    3. HTTP Strict Transport Security (HSTS)
    4. Cookie security
    5. X-Content-Type-Options
    6. X-Frame-Options
    7. X-XSS-Protection
    8. Mozilla web security guidelines
    9. Mozilla Observatory
  6. HTTP access control (CORS)
  7. HTTP authentication
  8. HTTP caching
  9. HTTP compression
  10. HTTP conditional requests
  11. HTTP content negotiation
  12. HTTP cookies
  13. HTTP range requests
  14. HTTP redirects
  15. HTTP specifications
  16. Feature policy
  17. References:
  18. HTTP headers
    1. Accept
    2. Accept-Charset
    3. Accept-Encoding
    4. Accept-Language
    5. Accept-Patch
    6. Accept-Ranges
    7. Access-Control-Allow-Credentials
    8. Access-Control-Allow-Headers
    9. Access-Control-Allow-Methods
    10. Access-Control-Allow-Origin
    11. Access-Control-Expose-Headers
    12. Access-Control-Max-Age
    13. Access-Control-Request-Headers
    14. Access-Control-Request-Method
    15. Age
    16. Allow
    17. Alt-Svc
    18. Authorization
    19. Cache-Control
    20. Clear-Site-Data
    21. Connection
    22. Content-Disposition
    23. Content-Encoding
    24. Content-Language
    25. Content-Length
    26. Content-Location
    27. Content-Range
    28. Content-Security-Policy
    29. Content-Security-Policy-Report-Only
    30. Content-Type
    31. Cookie
    32. Cookie2
    33. Cross-Origin-Resource-Policy
    34. DNT
    35. Date
    36. ETag
    37. Early-Data
    38. Expect
    39. Expect-CT
    40. Expires
    41. Feature-Policy
    42. Forwarded
    43. From
    44. Host
    45. If-Match
    46. If-Modified-Since
    47. If-None-Match
    48. If-Range
    49. If-Unmodified-Since
    50. Index
    51. Keep-Alive
    52. Large-Allocation
    53. Last-Modified
    54. Link
    55. Location
    56. Origin
    57. Pragma
    58. Proxy-Authenticate
    59. Proxy-Authorization
    60. Public-Key-Pins
    61. Public-Key-Pins-Report-Only
    62. Range
    63. Referer
    64. Referrer-Policy
    65. Retry-After
    66. Save-Data
    67. Sec-WebSocket-Accept
    68. Server
    69. Server-Timing
    70. Set-Cookie
    71. Set-Cookie2
    72. SourceMap
    73. Strict-Transport-Security
    74. TE
    75. Timing-Allow-Origin
    76. Tk
    77. Trailer
    78. Transfer-Encoding
    79. Upgrade-Insecure-Requests
    80. User-Agent
    81. Vary
    82. Via
    83. WWW-Authenticate
    84. Warning
    85. X-Content-Type-Options
    86. X-DNS-Prefetch-Control
    87. X-Forwarded-For
    88. X-Forwarded-Host
    89. X-Forwarded-Proto
    90. X-Frame-Options
    91. X-XSS-Protection
  19. HTTP request methods
    1. CONNECT
    2. DELETE
    3. GET
    4. HEAD
    5. OPTIONS
    6. PATCH
    7. POST
    8. PUT
    9. TRACE
  20. HTTP response status codes
    1. 100 Continue
    2. 101 Switching Protocols
    3. 103 Early Hints
    4. 200 OK
    5. 201 Created
    6. 202 Accepted
    7. 203 Non-Authoritative Information
    8. 204 No Content
    9. 205 Reset Content
    10. 206 Partial Content
    11. 300 Multiple Choices
    12. 301 Moved Permanently
    13. 302 Found
    14. 303 See Other
    15. 304 Not Modified
    16. 307 Temporary Redirect
    17. 308 Permanent Redirect
    18. 400 Bad Request
    19. 401 Unauthorized
    20. 402 Payment Required
    21. 403 Forbidden
    22. 404 Not Found
    23. 405 Method Not Allowed
    24. 406 Not Acceptable
    25. 407 Proxy Authentication Required
    26. 408 Request Timeout
    27. 409 Conflict
    28. 410 Gone
    29. 411 Length Required
    30. 412 Precondition Failed
    31. 413 Payload Too Large
    32. 414 URI Too Long
    33. 415 Unsupported Media Type
    34. 416 Range Not Satisfiable
    35. 417 Expectation Failed
    36. 418 I'm a teapot
    37. 422 Unprocessable Entity
    38. 425 Too Early
    39. 426 Upgrade Required
    40. 428 Precondition Required
    41. 429 Too Many Requests
    42. 431 Request Header Fields Too Large
    43. 451 Unavailable For Legal Reasons
    44. 500 Internal Server Error
    45. 501 Not Implemented
    46. 502 Bad Gateway
    47. 503 Service Unavailable
    48. 504 Gateway Timeout
    49. 505 HTTP Version Not Supported
    50. 511 Network Authentication Required
  21. CSP directives
    1. CSP: base-uri
    2. CSP: block-all-mixed-content
    3. CSP: child-src
    4. CSP: connect-src
    5. CSP: default-src
    6. CSP: font-src
    7. CSP: form-action
    8. CSP: frame-ancestors
    9. CSP: frame-src
    10. CSP: img-src
    11. CSP: manifest-src
    12. CSP: media-src
    13. CSP: object-src
    14. CSP: plugin-types
    15. CSP: referrer
    16. CSP: report-uri
    17. CSP: require-sri-for
    18. CSP: sandbox
    19. CSP: script-src
    20. CSP: style-src
    21. CSP: upgrade-insecure-requests
    22. CSP: worker-src
    23. report-to
  22. CORS errors
    1. Reason: CORS disabled
    2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
    3. Reason: CORS header 'Access-Control-Allow-Origin' missing
    4. Reason: CORS header ‘Origin’ cannot be added
    5. Reason: CORS preflight channel did not succeed
    6. Reason: CORS request did not succeed
    7. Reason: CORS request external redirect not allowed
    8. Reason: CORS request not HTTP
    9. Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
    10. Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’
    11. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed
    12. Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’
    13. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’
    14. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’
    15. Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel
  23. Feature-Policy directives
    1. Feature-Policy: autoplay
    2. Feature-Policy: camera
    3. Feature-Policy: display-capture
    4. Feature-Policy: encrypted-media
    5. Feature-Policy: fullscreen
    6. Feature-Policy: geolocation
    7. Feature-Policy: microphone
    8. Feature-Policy: midi
    9. Feature-Policy: payment
    10. Feature-Policy: vr
    11. document-domain