HPACK - Header Compression for HTTP/2Google, Incfenix@google.comCanon CRFherve.ruellan@crf.canon.fr
Applications
HTTPbisHTTPHeader
This specification defines HPACK, a compression format for
efficiently representing HTTP header fields, to be used in
HTTP/2.
Discussion of this draft takes place on the HTTPBIS working group
mailing list (ietf-http-wg@w3.org), which is archived at .
Working Group information can be found at ; that specific to HTTP/2
are at .
The changes in this draft are summarized in .
In HTTP/1.1 (see ), header fields are
not compressed. As Web pages have grown to require dozens to
hundreds of requests, the redundant header fields in these
requests unnecessarily consume bandwidth, measurably increasing
latency.
SPDY initially addressed this
redundancy by compressing header fields using the DEFLATE format, which proved very
effective at efficiently representing the redundant header
fields. However, that approach exposed a security risk as
demonstrated by the CRIME attack (see ).
This specification defines HPACK, a new compressor for header
fields which eliminates redundant header fields, limits
vulnerability to known security attacks, and which has a bounded
memory requirement for use in constrained environments.
Potential security concerns for HPACK are described in .
The HPACK format is intentionally simple and inflexible. Both
characteristics reduce the risk of interoperability or security
issues due to implementation error. No extensibility
mechanisms are defined; changes to the format are only possible
by defining a complete replacement.
The format defined in this specification treats a list of
header fields as an ordered collection of name-value pairs
that can include duplicate pairs. Names and values are
considered to be opaque sequences of octets, and the order
of header fields is preserved after being compressed and
decompressed.
Encoding is informed by header field tables that map
header fields to indexed values. These header field tables
can be incrementally updated as new header fields are
encoded or decoded.
In the encoded form, a header field is represented either
literally or as a reference to a header field in one of
the header field tables. Therefore, a list of header fields
can be encoded using a mixture of references and literal
values.
Literal values are either encoded directly or using a static
Huffman code.
The encoder is responsible for deciding which header fields
to insert as new entries in the header field tables. The
decoder executes the modifications to the header field
tables prescribed by the encoder, reconstructing the list of
header fields in the process. This enables decoders to
remain simple and interoperate with a wide variety of
encoders.
Examples illustrating the use of these different mechanisms
to represent header fields are available in .
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in RFC 2119.
All numeric values are in network byte order. Values are
unsigned unless otherwise indicated. Literal values are
provided in decimal or hexadecimal as appropriate.
This specification uses the following terms:
A name-value pair. Both the name and value are
treated as opaque sequences of octets.
The dynamic table (see ) is a table that
associates stored header fields with index values.
This table is dynamic and specific to an encoding or
decoding context.
The static table (see )
is a table that statically associates header fields
that occur frequently
with index values. This table is ordered,
read-only, always accessible, and may be shared
amongst all encoding or decoding contexts.
A header list is an ordered collection of header
fields that are encoded jointly, and can contain
duplicate header fields. A complete list of
header fields contained in an HTTP/2 header block
is a header list.
A header field can be represented in encoded form
either as a literal or as an index (see ).
An ordered list of header field representations
which, when decoded, yields a complete header list.
This specification does not describe a specific algorithm for an
encoder. Instead, it defines precisely how a decoder is
expected to operate, allowing encoders to produce any encoding
that this definition permits.
HPACK preserves the ordering of header fields inside the
header list. An encoder MUST order header field
representations in the header block according to their
ordering in the original header list. A decoder MUST
order header fields in the decoded header list according to
their ordering in the header block.
To decompress header blocks, a decoder only needs to
maintain a dynamic table (see ) as a decoding context. No
other dynamic state is needed.
When used for bidirectional communication, such as in HTTP,
the encoding and decoding dynamic tables maintained by an
endpoint are completely independent. I.e., the request
and response dynamic tables are separate.
HPACK uses two tables for associating header fields to
indexes. The static table (see ) is predefined and contains
common header fields (most of them with an empty value). The
dynamic table (see ) is
dynamic and can be used by the encoder to index header
fields repeated in the encoded header lists.
These two tables are combined into a single address space
for defining index values (see ).
The static table consists of a predefined static list of
header fields. Its entries are defined in .
The dynamic table consists of a list of header fields
maintained in first-in, first-out order. The first and
newest entry in a dynamic table is at the lowest index,
and the oldest entry of a dynamic table is at the
highest index.
The dynamic table is initially empty. Entries are added
as each header block is decompressed.
The dynamic table can contain duplicate entries (i.e.,
entries with the same name and same value).
Therefore, duplicate entries MUST NOT be treated as an
error by a decoder.
The encoder decides how to update the dynamic table and
as such can control how much memory is used by the
dynamic table. To limit the memory requirements of the
decoder, the dynamic table size is strictly bounded (see
).
The decoder updates the dynamic table during the
processing of a list of header field representations
(see ).
The static table and the dynamic table are combined into
a single index address space.
Indices between 1 and the length of the static table
(inclusive) refer to elements in the static table (see
).
Indices strictly greater than the length of the static
table refer to elements in the dynamic table (see ). The length
of the static table is subtracted to find the index into
the dynamic table.
Indices strictly greater than the sum of the lengths of
both tables MUST be treated as a decoding error.
An encoded header field can be represented either as an
index or as a literal.
An indexed representation defines a header field as a
reference to an entry in either the static table or the
dynamic table (see ).
A literal representation defines a header field by
specifying its name and value. The header field name can be
represented literally or as a reference to an entry in
either the static table or the dynamic table. The header
field value is represented literally.
Three different literal representations are defined:
A literal representation that adds the header field
as a new entry at the beginning of the dynamic table
(see ).
A literal representation that does not add the
header field to the dynamic table (see ).
A literal representation that does not add the
header field to the dynamic table, with the
additional stipulation that this header field always
use a literal representation, in particular when
re-encoded by an intermediary (see ). This
representation is intended for protecting header
field values that are not to be put at risk by
compressing them (see for more
details).
The selection of one of these literal representations can be
guided by security considerations, in order to protect
sensitive header field values (see ).
The literal representation of a header field name or of a
header field value can encode the sequence of octets either
directly or using a static Huffman code (see ).
A decoder processes a header block sequentially to
reconstruct the original header list.
A header block is the concatenation of header field
representations. The different possible header field
representations are described in .
Once a header field is decoded and added to the
reconstructed header list, the header field cannot be
removed. A header field added to the header list can be
safely passed to the application.
By passing the resulting header fields to the application,
a decoder can be implemented with minimal transitory memory
commitment in addition to the dynamic table.
The processing of a header block to obtain a header list is
defined in this section. To ensure that the decoding will
successfully produce a header list, a decoder MUST obey the
following rules.
All the header field representations contained in a header
block are processed in the order in which they appear, as
specified below. Details on the formatting of the various
header field representations, and some additional processing
instructions are found in .
An indexed representation entails the
following actions:
The header field corresponding to the referenced
entry in either the static table or dynamic table is
appended to the decoded header list.
A literal representation that is not
added to the dynamic table entails the following
action:
The header field is appended to the decoded header
list.
A literal representation that is
added to the dynamic table entails the
following actions:
The header field is appended to the decoded header
list.
The header field is inserted at the beginning of the
dynamic table. This insertion could result in the
eviction of previous entries in the dynamic table
(see ).
To limit the memory requirements on the decoder side, the
dynamic table is constrained in size.
The size of the dynamic table is the sum of the size of its
entries.
The size of an entry is the sum of its name's length in
octets (as defined in ), its value's
length in octets, plus 32.
The size of an entry is calculated using the length of its
name and value without any Huffman encoding applied.
The additional 32 octets account for an estimated
overhead associated with an entry. For example, an
entry structure using two 64-bit pointers to
reference the name and the value of the entry, and
two 64-bit integers for counting the number of
references to the name and value would have 32
octets of overhead.
Protocols that use HPACK determine the maximum size that the
encoder is permitted to use for the dynamic table. In
HTTP/2, this value is determined by the
SETTINGS_HEADER_TABLE_SIZE setting (see ).
An encoder can choose to use less capacity than this maximum
size (see ), but the
chosen size MUST stay lower than or equal to the maximum set
by the protocol.
A change in the maximum size of the dynamic table is
signaled via an encoding context update (see ). This encoding context
update MUST occur at the beginning of the first header block
following the change to the dynamic table size. In HTTP/2,
this follows a settings acknowledgment (see ).
Multiple updates to the maximum table size can occur between
the transmission of two header blocks. In the case that this
size is changed more than once in this interval, the
smallest maximum table size that occurs in that interval
MUST be signaled in an encoding context update. The final
maximum size is always signaled, resulting in at most two
encoding context updates. This ensures that the decoder is
able to perform eviction based on reductions in dynamic
table size (see ).
This mechanism can be used to completely clear entries from
the dynamic table by setting a maximum size of 0, which can
subsequently be restored.
Whenever the maximum size for the dynamic table is reduced,
entries are evicted from the end of the dynamic table until
the size of the dynamic table is less than or equal to the
maximum size.
Before a new entry is added to the dynamic table, entries
are evicted from the end of the dynamic table until the size
of the dynamic table is less than or equal to (maximum size
- new entry size), or until the table is empty.
If the size of the new entry is less than or equal to the
maximum size, that entry is added to the table. It is not
an error to attempt to add an entry that is larger than the
maximum size; an attempt to add an entry larger than the
maximum size causes the table to be emptied of all existing
entries, and results in an empty table.
A new entry can reference the name of an entry in the
dynamic table that will be evicted when adding this new
entry into the dynamic table. Implementations are cautioned
to avoid deleting the referenced name if the referenced
entry is evicted from the dynamic table prior to inserting
the new entry.
HPACK encoding uses two primitive types: unsigned variable
length integers, and strings of octets.
Integers are used to represent name indexes, header field
indexes or string lengths. An integer representation can
start anywhere within an octet. To allow for optimized
processing, an integer representation always finishes at the
end of an octet.
An integer is represented in two parts: a prefix that fills
the current octet and an optional list of octets that are
used if the integer value does not fit within the prefix.
The number of bits of the prefix (called N) is a parameter
of the integer representation.
If the integer value is small enough, i.e., strictly less
than 2N-1, it is encoded within the N-bit
prefix.
Otherwise, all the bits of the prefix are set to 1 and the
value, decreased by 2N-1, is encoded using a
list of one or more octets. The most significant bit of each
octet is used as a continuation flag: its value is set to 1
except for the last octet in the list. The remaining bits of
the octets are used to encode the decreased value.
Decoding the integer value from the list of octets starts by
reversing the order of the octets in the list. Then, for
each octet, its most significant bit is removed. The
remaining bits of the octets are concatenated and the
resulting value is increased by 2N-1 to
obtain the integer value.
The prefix size, N, is always between 1 and 8 bits. An
integer starting at an octet-boundary will have an 8-bit
prefix.
Examples illustrating the encoding of integers are available
in .
This integer representation allows for values of indefinite
size. It is also possible for an encoder to send a large
number of zero values, which can waste octets and could be
used to overflow integer values. Integer encodings that
exceed an implementation limits - in value or octet length -
MUST be treated as a decoding error. Different limits can
be set for each of the different uses of integers, based on
implementation constraints.
Header field names and header field values can be
represented as literal strings. A literal string is encoded
as a sequence of octets, either by directly encoding the
literal string's octets, or by using a Huffman code
(see ).
A literal string representation contains the following
fields:
A one bit flag, H, indicating whether or not the
octets of the string are Huffman encoded.
The number of octets used to encode the string
literal, encoded as an integer with 7-bit prefix
(see ).
The encoded data of the string literal. If H is
'0', then the encoded data is the raw octets of
the string literal. If H is '1', then the
encoded data is the Huffman encoding of the
string literal.
String literals which use Huffman encoding are encoded with
the Huffman code defined in
(see examples for requests in and for
responses in ). The
encoded data is the bitwise concatenation of the codes
corresponding to each octet of the string literal.
As the Huffman encoded data doesn't always end at an octet
boundary, some padding is inserted after it, up to the next
octet boundary. To prevent this padding to be misinterpreted
as part of the string literal, the most significant bits of
the code corresponding to the EOS (end-of-string) symbol are
used.
Upon decoding, an incomplete code at the end of the
encoded data is to be considered as padding and discarded. A
padding strictly longer than 7 bits MUST be treated as a
decoding error. A padding not corresponding to the most
significant bits of the code for the EOS symbol MUST be
treated as a decoding error. A Huffman encoded string
literal containing the EOS symbol MUST be treated as a
decoding error.
This section describes the detailed format of each of the
different header field representations, plus the encoding
context update instruction.
An indexed header field representation identifies an entry
in either the static table or the dynamic table (see ).
An indexed header field representation causes a
header field to be added to the decoded header list, as
described in .
An indexed header field starts with the '1' 1-bit pattern,
followed by the index of the matching header field,
represented as an integer with a 7-bit prefix (see ).
The index value of 0 is not used. It MUST be treated as a
decoding error if found in an indexed header field
representation.
A literal header field representation contains a literal
header field value. Header field names are either provided
as a literal or by reference to an existing table entry,
either from the static table or the dynamic table (see ).
This specification defines three forms of literal header
field representations; with indexing, without indexing,
and never indexed.
A literal header field with incremental indexing
representation results in appending a header field to
the decoded header list and inserting it as a new entry
into the dynamic table.
A literal header field with incremental indexing
representation starts with the '01' 2-bit pattern.
If the header field name matches the header field name
of an entry stored in the static table or the dynamic
table, the header field name can be represented using
the index of that entry. In this case, the index of the
entry is represented as an integer with a 6-bit prefix
(see ). This
value is always non-zero.
Otherwise, the header field name is represented as a
literal string (see ). A value
0 is used in place of the 6-bit index, followed by the
header field name.
Either form of header field name representation is
followed by the header field value represented as a
literal string (see ).
A literal header field without indexing representation
results in appending a header field to the decoded
header list without altering the dynamic table.
A literal header field without indexing representation
starts with the '0000' 4-bit pattern.
If the header field name matches the header field name
of an entry stored in the static table or the dynamic
table, the header field name can be represented using
the index of that entry. In this case, the index of the
entry is represented as an integer with a 4-bit prefix
(see ). This
value is always non-zero.
Otherwise, the header field name is represented as a
literal string (see ). A value
0 is used in place of the 4-bit index, followed by the
header field name.
Either form of header field name representation is
followed by the header field value represented as a
literal string (see ).
A literal header field never indexed representation
results in appending a header field to the decoded
header list without altering the dynamic table.
Intermediaries MUST use the same representation for
encoding this header field.
A literal header field never indexed representation
starts with the '0001' 4-bit pattern.
When a header field is represented as a literal header
field never indexed, it MUST always be encoded with
this specific literal representation. In particular,
when a peer sends a header field that it received
represented as a literal header field never indexed, it
MUST use the same representation to forward this header
field.
This representation is intended for protecting header
field values that are not to be put at risk by
compressing them (see for more details).
The encoding of the representation is identical to the
literal header field without indexing
(see ).
A dynamic table size update signals a change to the size of
the dynamic table.
A dynamic table size update starts with the '001' 3-bit
pattern, followed by the new maximum size, represented as an
integer with a 5-bit prefix (see ).
The new maximum size MUST be lower than or equal to the last
value of the maximum size of the dynamic table. A value that
exceeds this limit MUST be treated as a decoding error. In
HTTP/2, this limit is the last value of the
SETTINGS_HEADER_TABLE_SIZE parameter (see )
received from the decoder and acknowledged by the encoder
(see ).
Reducing the maximum size of the dynamic table can cause
entries to be evicted (see ).
This section describes potential areas of security concern
with HPACK:
Use of compression as a length-based oracle for
verifying guesses about secrets that are compressed
into a shared compression context.
Denial of service resulting from exhausting processing
or memory capacity at a decoder.
HPACK reduces the length of header field encodings by
exploiting the redundancy inherent in protocols like HTTP.
The ultimate goal of this is to reduce the amount of data
that is required to send HTTP requests or responses.
The compression context used to encode header fields can be
probed by an attacker who can both define header fields to
be encoded and transmitted and observe the length of those
fields once they are encoded. When an attacker can do both,
they can adaptively modify requests in order to confirm
guesses about the dynamic table state. If a guess is
compressed into a shorter length, the attacker can observe
the encoded length and infer that the guess was correct.
This is possible even over the Transport Layer Security
Protocol (TLS, see ), because while
TLS provides confidentiality protection for content, it only
provides a limited amount of protection for the length of
that content.
Padding schemes only provide limited protection
against an attacker with these capabilities,
potentially only forcing an increased number of
guesses to learn the length associated with a given
guess. Padding schemes also work directly against
compression by increasing the number of bits that
are transmitted.
Attacks like CRIME demonstrated
the existence of these general attacker capabilities. The
specific attack exploited the fact that DEFLATE removes redundancy based
on prefix matching. This permitted the attacker to confirm
guesses a character at a time, reducing an exponential-time
attack into a linear-time attack.
HPACK mitigates but does not completely prevent attacks
modeled on CRIME by forcing
a guess to match an entire header field value, rather
than individual characters. An attacker can only learn
whether a guess is correct or not, so is reduced to a
brute force guess for the header field values.
The viability of recovering specific header field values
therefore depends on the entropy of values. As a
result, values with high entropy are unlikely to be
recovered successfully. However, values with low
entropy remain vulnerable.
Attacks of this nature are possible any time that two
mutually distrustful entities control requests or
responses that are placed onto a single HTTP/2
connection. If the shared HPACK compressor permits one
entity to add entries to the dynamic table, and the
other to access those entries, then the state of the
table can be learned.
Having requests or responses from mutually distrustful
entities occurs when an intermediary either:
sends requests from multiple clients on a single
connection toward an origin server, or
takes responses from multiple origin servers and
places them on a shared connection toward a
client.
Web browsers also need to assume that requests made on
the same connection by different web origins are made by mutually
distrustful entities.
Users of HTTP that require confidentiality for header
fields can use values with entropy sufficient to make
guessing infeasible. However, this is impractical as a
general solution because it forces all users of HTTP to
take steps to mitigate attacks. It would impose new
constraints on how HTTP is used.
Rather than impose constraints on users of HTTP, an
implementation of HPACK can instead constrain how
compression is applied in order to limit the potential
for dynamic table probing.
An ideal solution segregates access to the dynamic table
based on the entity that is constructing header fields.
Header field values that are added to the table are
attributed to an entity, and only the entity that
created a particular value can extract that value.
To improve compression performance of this option,
certain entries might be tagged as being public. For
example, a web browser might make the values of the
Accept-Encoding header field available in all requests.
An encoder without good knowledge of the provenance of
header fields might instead introduce a penalty for
a header field with many different values, such that a
large number of attempts to guess a header field
value results in the header field no more being compared
to the dynamic table entries in future messages,
effectively preventing further guesses.
Simply removing entries corresponding to the
header field from the dynamic table
can be ineffectual if the attacker has a
reliable way of causing values to be
reinstalled. For example, a request to load an
image in a web browser typically includes the
Cookie header field (a potentially highly valued
target for this sort of attack), and web sites
can easily force an image to be loaded, thereby
refreshing the entry in the dynamic table.
This response might be made inversely proportional to
the length of the header field value. Marking a header
field as not using the dynamic table any more
might occur for shorter values more quickly
or with higher probability than for longer values.
Implementations can also choose to protect sensitive
header fields by not compressing them and instead
encoding their value as literals.
Refusing to generate an indexed representation for a
header field is only effective if compression is avoided
on all hops. The never indexed literal (see ) can be used
to signal to intermediaries that a particular value was
intentionally sent as a literal.
An intermediary MUST NOT re-encode a value that uses the
never indexed literal representation with another
representation that would index it. If HPACK is used
for re-encoding, the never indexed literal
representation MUST be used.
The choice to use a never indexed literal representation
for a header field depends on several factors. Since
HPACK doesn't protect against guessing an entire header
field value, short or low-entropy values are more
readily recovered by an adversary. Therefore, an encoder
might choose not to index values with low entropy.
An encoder might also choose not to index values for
header fields that are considered to be highly valuable
or sensitive to recovery, such as the Cookie or
Authorization header fields.
On the contrary, an encoder might prefer indexing values
for header fields that have little or no value if they
were exposed. For instance, a User-Agent header field
does not commonly vary between requests and is sent to
any server. In that case, confirmation that a particular
User-Agent value has been used provides little value.
Note that these criteria for deciding to use a never
indexed literal representation will evolve over time as
new attacks are discovered.
There is no currently known attack against a static Huffman
encoding. A study has shown that using a static Huffman
encoding table created an information leakage, however this
same study concluded that an attacker could not take
advantage of this information leakage to recover any
meaningful amount of information (see ).
An attacker can try to cause an endpoint to exhaust its
memory. HPACK is designed to limit both the peak and state
amounts of memory allocated by an endpoint.
The amount of memory used by the compressor is limited by
the protocol using HPACK through the definition of the
maximum size of the dynamic table.
In HTTP/2, this value is controlled by the decoder through
the setting parameter SETTINGS_HEADER_TABLE_SIZE (see ).
This limit takes into account both the size of the data
stored in the dynamic table, plus a small allowance for
overhead.
A decoder can limit the amount of state memory used by
setting an appropriate value for the maximum size of the
dynamic table. In HTTP/2, this is realized by setting an
appropriate value for the SETTINGS_HEADER_TABLE_SIZE
parameter. An encoder can limit the amount of state memory
it uses by signaling lower dynamic table size than the
decoder allows (see ).
The amount of temporary memory consumed by an encoder or
decoder can be limited by processing header fields
sequentially. An implementation does not need to retain a
complete list of header fields. Note however that it might
be necessary for an application to retain a complete header
list for other reasons; even though HPACK does not force
this to occur, application constraints might make this
necessary.
An implementation of HPACK needs to ensure that large values
for integers, long encoding for integers, or long string
literals do not create security weaknesses.
An implementation has to set a limit for the values it
accepts for integers, as well as for the encoded length (see
). In the same way,
it has to set a limit to the length it accepts for string
literals (see ).
This document has no IANA actions.
This specification includes substantial input from the following
individuals:
Mike Bishop, Jeff Pinner, Julian Reschke, Martin Thomson
(substantial editorial contributions).
Johnny Graettinger (Huffman code statistics).
Hypertext Transfer Protocol version 2TwistGoogleMozilla
Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and
Routing
Adobe Systems Incorporatedfielding@gbiv.comgreenbytes GmbHjulian.reschke@greenbytes.de
Key words for use in RFCs to Indicate Requirement Levels
Harvard Universitysob@harvard.eduSPDY ProtocolTwistGoogleThe Transport Layer Security (TLS) Protocol Version 1.2The Web Origin ConceptDEFLATE Compressed Data Format Specification version 1.3Aladdin EnterprisesThe CRIME AttackA Method for the Construction of Minimum Redundancy
CodesGenerating a canonical prefix encodingPETAL: Preset Encoding Table Information
Leakage
The static table (see ) consists in
a predefined and unchangeable list of header fields.
The static table was created from the most frequent header
fields used by popular web sites, with the addition of
HTTP/2-specific pseudo-header fields (see ).
For header fields with a few frequent
values, an entry was added for each of these frequent values.
For other header fields, an entry was added with an empty
value.
The following table lists the predefined header fields that
make-up the static table.
IndexHeader NameHeader Value1:authority2:methodGET3:methodPOST4:path/5:path/index.html6:schemehttp7:schemehttps8:status2009:status20410:status20611:status30412:status40013:status40414:status50015accept-charset16accept-encodinggzip, deflate17accept-language18accept-ranges19accept20access-control-allow-origin21age22allow23authorization24cache-control25content-disposition26content-encoding27content-language28content-length29content-location30content-range31content-type32cookie33date34etag35expect36expires37from38host39if-match40if-modified-since41if-none-match42if-range43if-unmodified-since44last-modified45link46location47max-forwards48proxy-authenticate49proxy-authorization50range51referer52refresh53retry-after54server55set-cookie56strict-transport-security57transfer-encoding58user-agent59vary60via61www-authenticate gives the index of each
entry in the static table.
The following Huffman code is used when encoding string literals
with a Huffman coding (see ).
This Huffman code was generated from statistics obtained on a
large sample of HTTP headers. It is a canonical Huffman code
(see ) with some tweaking to ensure
that no symbol has a unique code length.
Each row in the table defines the code used to represent a
symbol:
The symbol to be represented. It is the decimal value of
an octet, possibly prepended with its ASCII
representation. A specific symbol, "EOS", is used to
indicate the end of a string literal.
The Huffman code for the symbol represented as a base-2
integer, aligned on the most significant bit (MSB).
The Huffman code for the symbol, represented as a
hexadecimal integer, aligned on the least significant
bit (LSB).
The number of bits for the code representing the symbol.
As an example, the code for the symbol 47 (corresponding to the
ASCII character "/") consists in the 6 bits "0", "1", "1", "0",
"0", "0". This corresponds to the value 0x18 (in hexadecimal)
encoded in 6 bits.
A number of examples are worked through here, covering integer
encoding, header field representation, and the encoding of whole
lists of header fields, for both requests and responses, and
with and without Huffman coding.
This section shows the representation of integer values in
details (see ).
The value 10 is to be encoded with a 5-bit prefix.
10 is less than 31 (25 - 1) and
is represented using the 5-bit prefix.
The value I=1337 is to be encoded with a 5-bit prefix.
1337 is greater than 31 (25 - 1).
The 5-bit prefix is filled with its max
value (31).I = 1337 - (25 - 1) = 1306.I (1306) is greater than or equal to 128,
the while loop body executes:I % 128 == 2626 + 128 == 154154 is encoded in 8 bits as:
10011010I is set to 10 (1306 / 128 ==
10)I is no longer greater than or
equal to 128, the while loop
terminates.
I, now 10, is encoded in 8 bits as:
00001010.
The process ends.
The value 42 is to be encoded starting at an
octet-boundary. This implies that a 8-bit prefix is
used.
42 is less than 255 (28 - 1) and
is represented using the 8-bit prefix.
This section shows several independent representation examples.
The header field representation uses a literal name and a literal
value. The header field is added to the dynamic table.
The header field representation uses an indexed name and a literal
value. The header field is not added to the dynamic table.
Dynamic table (after decoding): empty.
The header field representation uses a literal name and a literal
value. The header field is not added to the dynamic table, and must
use the same representation if re-encoded by an intermediary.
Dynamic table (after decoding): empty.
The header field representation uses an indexed header field, from
the static table.
Dynamic table (after decoding): empty.
This section shows several consecutive header lists, corresponding to
HTTP requests, on the same connection.
This section shows the same examples as the previous section, but using
Huffman encoding for the literal values.
This section shows several consecutive header lists, corresponding to
HTTP responses, on the same connection. The HTTP/2 setting parameter
SETTINGS_HEADER_TABLE_SIZE is set to the value of 256 octets, causing
some evictions to occur.
The (":status", "302") header field is evicted from the dynamic table
to free space to allow adding the (":status", "307") header field.
Several header fields are evicted from the dynamic table during the
processing of this header list.
This section shows the same examples as the previous section, but using
Huffman encoding for the literal values. The HTTP/2 setting parameter
SETTINGS_HEADER_TABLE_SIZE is set to the value of 256 octets, causing
some evictions to occur. The eviction mechanism uses the length of the
decoded literal values, so the same evictions occurs as in the previous
section.
The (":status", "302") header field is evicted from the dynamic table
to free space to allow adding the (":status", "307") header field.
Several header fields are evicted from the dynamic table during the
processing of this header list.
Editorial corrections for taking into account IETF LC
comments.
Added links to security sections.
Made spec more independent of HTTP/2.
Expanded security section about never indexed
literal usage.
Removed most usages of 'name-value pair' instead of
header field.
Changed 'header table' to 'header field table'.
Renamed header table to dynamic table.
Updated integer representation.
Editorial corrections.
Removed the reference set.
Removed header emission.
Explicit handling of several SETTINGS_HEADER_TABLE_SIZE
parameter changes.
Changed header set to header list, and forced ordering.
Updated examples.
Exchanged header and static table positions.
Removed old text on index value of 0.
Added clarification for signalling of maximum table size
after a SETTINGS_HEADER_TABLE_SIZE update.
Rewrote security considerations.
Many editorial clarifications or improvements.
Added convention section.
Reworked document's outline.
Updated static table. Entry 16 has now "gzip, deflate"
for value.
Updated Huffman table, using data set provided by
Google.
Updated format to include literal headers that must
never be compressed.
Updated security considerations.
Moved integer encoding examples to the appendix.
Updated Huffman table.
Updated static header table (adding and removing status
values).
Updated examples.
Regenerated examples.
Only one Huffman table for requests and responses.
Added maximum size for dynamic table, independent of
SETTINGS_HEADER_TABLE_SIZE.
Added pseudo-code for integer decoding.
Improved examples (removing unnecessary removals).
Updated examples: take into account changes in the spec,
and show more features.
Use 'octet' everywhere instead of having both 'byte' and
'octet'.
Added reference set emptying.
Editorial changes and clarifications.
Added "host" header to the static table.
Ordering for list of values (either NULL- or
comma-separated).
A large number of editorial changes; changed the
description of evicting/adding new entries.
Removed substitution indexing
Changed 'initial headers' to 'static headers', as per
issue #258
Merged 'request' and 'response' static headers, as per
issue #259
Changed text to indicate that new headers are added at
index 0 and expire from the largest index, as per issue
#233
Corrected error in integer encoding pseudocode.
Refactored of Header Encoding Section: split
definitions and processing rule.
Backward incompatible change: Updated reference set
management as per issue #214. This changes how the
interaction between the reference set and eviction
works. This also changes the working of the
reference set in some specific cases.
Backward incompatible change: modified initial
header list, as per issue #188.
Added example of 32 octets entry structure (issue
#191).
Added Header Set Completion section. Reflowed some
text. Clarified some writing which was akward.
Added text about duplicate header entry encoding.
Clarified some language w.r.t Header Set. Changed
x-my-header to mynewheader. Added text in the
HeaderEmission section indicating that the
application may also be able to free up memory more
quickly. Added information in Security
Considerations section.
Fixed bug/omission in integer representation
algorithm.Changed the document title.Header matching text rewritten.Changed the definition of header emission.Changed the name of the setting which dictates how
much memory the compression context should use.Removed "specific use cases" sectionCorrected erroneous statement about what index can be
contained in one octetAdded descriptions of opcodesRemoved security claims from introduction.