Jump to content

HTTP/1.1 Upgrade header

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Kvng (talk | contribs) at 21:42, 17 July 2011 (split tangential content from Hypertext Transfer Protocol). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

HTTP/1.1 introduced support for the Upgrade header field.[1] In the exchange, the client begins by making a clear-text request, which is later upgraded to Transport Layer Security (TLS). Either the client or the server may request that the connection be upgraded. The most common usage is a clear-text request by the client followed by a server demand to upgrade the connection:

Client: 

GET /encrypted-area HTTP/1.1
Host: www.example.com

Server: 

HTTP/1.1 426 Upgrade Required
Upgrade: TLS/1.0, HTTP/1.1
Connection: Upgrade

The server returns a 426 status-code to alert legacy clients that the failure was client-related (400 level codes indicate a client failure: List of HTTP status codes).

This method for establishing a secure connection is advantageous because it:

  • Does not require messy and problematic redirection and URL rewriting on the server side.
  • Enables virtual hosting of secured websites (although HTTPS also allows this using Server Name Indication).
  • Reduces the potential for user confusion by providing a single way to access a particular resource.

A disadvantage of this method is that the client cannot specify the requirement for a secure HTTP in the URI. Thus, the (untrusted) server will be responsible for enabling secure HTTP, not the (trusted) client.

References

  1. ^ RFC 2817
Retrieved from "https://en.wikipedia.org/w/index.php?title=HTTP/1.1_Upgrade_header&oldid=440013505"