HTTP/1.1 Upgrade header

HTTP/1.1 introduced support for the Upgrade header field. In the exchange, the client begins by making a clear-text request, which is later upgraded to a newer http protocol version or switched to a different protocol. Connection upgrade must be requested by the client, if the server wants to enforce an upgrade it may send a "426 upgrade required" response. The client can then send a new request with the appropriate upgrade headers.

Use with TLS

One use is to begin a request on the normal http port but switch to Transport Layer Security (TLS).^[1] In practice such use is rare with the https URL scheme being a far more common way to initiate encrypted http.

The server returns a 426 status-code to alert legacy clients that the failure was client-related (400 level codes indicate a client failure: List of HTTP status codes).

This method for establishing a secure connection is advantageous because it:

• Does not require messy and problematic redirection and URL rewriting on the server side.
• Enables virtual hosting of secured websites (although HTTPS also allows this using Server Name Indication).
• Reduces the potential for user confusion by providing a single way to access a particular resource.

A disadvantage of this method is that the client cannot specify the requirement for a secure HTTP in the URI. Therefore a man-in-the-middle may maintain an unencrypted and unathenticated connection with the client while maintaining an encrypted connection with the server.

Use with websockets

WebSocket also uses this mechanism to set up a WebSocket connection with a HTTP server in a compatible way.

See also

• HTTP Secure
• Secure Hypertext Transfer Protocol

References