Security Considerations for Optimistic Protocol Transitions in HTTP/1.1 Meta Platforms, Inc.
ietf@bemasc.net
WIT httpbis Request Smuggling False Start HTTP CONNECT In HTTP/1.1, the client can request a change to a new protocol on the existing connection. This document discusses the security considerations that apply to data sent by the client before this request is confirmed and adds new requirements to RFCs 9112 and 9298 to avoid related security issues.
Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .
Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
Table of Contents
  • .  Overview
  • .  Requirements Language
  • .  Background
  • .  Possible Security Issues
    • .  Request Smuggling
    • .  Parser Exploits
  • .  Operational Issues
  • .  Impact on HTTP Upgrade with Existing Upgrade Tokens
    • .  "TLS"
    • .  "WebSocket"/"websocket"
    • .  "connect-udp"
    • .  "connect-ip"
  • .  Guidance for Future Upgrade Tokens
    • .  Selection of Request Methods
  • .  Requirements for HTTP CONNECT
  • .  Security Considerations
  • IANA Considerations
  • References
    • .  Normative References
    • .  Informative References
  • Acknowledgments
  • Author's Address
Overview This document discusses certain security considerations that arise when switching from HTTP/1.1 to a different protocol on the same connection. It provides:
  • a review of the relevant standards,
  • a discussion of the security risks that may apply if a client sends data before the transition is confirmed,
  • a security evaluation of existing upgrade tokens, and
  • guidance for implementations and future standards documents.
Updates to and , including new normative requirements, are provided in Sections and , respectively.
Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Background In HTTP/1.1 and later, a single connection can be used for many requests. In HTTP/2 and HTTP/3 , these requests can be multiplexed, as each request is distinguished explicitly by its stream ID. However, in HTTP/1.1, requests are strictly sequential, and each new request is distinguished implicitly by the closure of the preceding request. HTTP/1.1 is also the only version of HTTP that allows the client to change the protocol used for the remainder of the connection. There are two mechanisms to request such a protocol transition. One mechanism is the Upgrade header field (). When included in a request, this field indicates that the client would like to use this connection for a protocol other than HTTP/1.1. The server replies with a 101 (Switching Protocols) status code if it accepts the protocol change (). The other mechanism is the HTTP CONNECT method (). This method indicates that the client wishes to establish a TCP connection to the specified host and port. If accepted, the server replies with a 2xx (Successful) response to indicate that the request was accepted and a TCP connection was established. After this point, the TCP connection is acting as a TCP tunnel, not an HTTP/1.1 connection. Both of these mechanisms also permit the server to reject the request. For example, says:
A server MAY ignore a received Upgrade header field if it wishes to continue using the current protocol on that connection.
and says:
A server MUST reject a CONNECT request that targets an empty or invalid port number, typically by responding with a 400 (Bad Request) status code.
Rejected upgrades are common and can happen for a variety of reasons, such as:
  • The server does not support any of the client's indicated upgrade tokens (i.e., the client's proposed new protocols), so it continues to use HTTP/1.1.
  • The server knows that an upgrade to the offered protocol will not provide any improvement over HTTP/1.1 for this request to this resource, so it chooses to respond in HTTP/1.1.
  • The server requires the client to authenticate before upgrading the protocol, so it replies with the status code 401 (Authentication Required) and provides a challenge in an Authorization response header field ().
  • The resource has moved, so the server replies with a 3xx (Redirection) status code ().
Similarly, servers frequently reject HTTP CONNECT requests, such as when:
  • The server does not support HTTP CONNECT.
  • The specified destination is not allowed under server policy.
  • The destination cannot be resolved, is unreachable, or does not accept the connection.
  • The proxy requires the client to authenticate before proceeding.
After rejecting a request, the server will continue to interpret bytes received on that connection in accordance with HTTP/1.1. also states:
A client cannot begin using an upgraded protocol on the connection until it has completely sent the request message (i.e., the client can't change the protocol it is sending in the middle of a message).
In other words, completion of the request message is a necessary condition for the client to begin using the new protocol. However, it is important to clarify that this is not a sufficient condition because the server might reject the request. In some cases, the client might predict that the server is likely to accept a requested protocol transition. For example, if a request using an upgrade token recently succeeded, the client might expect that subsequent requests with the same upgrade token will also succeed. If this expectation is correct, the client can often reduce delay by immediately sending the first bytes of the new protocol "optimistically", without waiting for the server's response. This document explores the security implications of this "optimistic" behavior.
Possible Security Issues When there are only two distinct parties involved in an HTTP/1.1 connection (i.e., the client and the server), protocol transitions introduce no new security issues: Each party must already be prepared for the other to send arbitrary data on the connection at any time. However, HTTP connections often involve more than two parties if the requests or responses include third-party data. For example, a browser (party 1) might send an HTTP request to an origin (party 2) with the path, headers, or content controlled by a website from a different origin (party 3). Post-transition protocols, such as WebSocket , are also frequently used to convey data chosen by a third party. If the third-party data source is untrusted, then the data it provides is potentially "attacker-controlled". The combination of attacker-controlled data and optimistic protocol transitions results in two significant security issues.
Request Smuggling In a Request Smuggling attack (), the attacker-controlled data is chosen in such a way that it is interpreted by the server as an additional HTTP request. These attacks allow the attacker to speak on behalf of the client while bypassing the client's own rules about what requests it will issue. Request Smuggling can occur if the client and server have distinct interpretations of the data that flows between them. If the server accepts a protocol transition request, it interprets the subsequent bytes in accordance with the new protocol. If it rejects the request, it interprets those bytes as HTTP/1.1. However, the client cannot know which interpretation the server will take until it receives the server's response status code. If it uses the new protocol optimistically, this creates a risk that the server will interpret attacker-controlled data in the new protocol as an additional HTTP request issued by the client. As a trivial example, consider an HTTP CONNECT client providing connectivity to an untrusted application. If the client is authenticated to the proxy server using a connection-level authentication method such as TLS Client Certificates (), the attacker could send an HTTP/1.1 POST request () for the proxy server at the beginning of its TCP connection. If the client delivers this data optimistically, and the CONNECT request fails, the server would misinterpret the application's data as a subsequent authenticated request issued by the client.
Example Request Smuggling Attack Using HTTP CONNECT ## REQUESTS ## # The malicious application requests a TCP connection to a nonexistent # destination, which will fail. CONNECT no-such-destination.example:443 HTTP/1.1 Host: no-such-destination.example:443 # Before connection fails, the malicious application sends data on the # proxied TCP connection that forms a valid POST request to the proxy. # The vulnerable client optimistically forwards this data to the proxy. POST /upload HTTP/1.1 Host: proxy.example Content-Length: 123456 <POST body controlled by the malicious application> ## RESPONSES ## # When TCP connection establishment fails, the proxy responds by # rejecting the CONNECT request, but the client has already forwarded # the malicious TCP payload data to the proxy. HTTP/1.1 504 Gateway Timeout Content-Length: 0 # The proxy interprets the smuggled POST request as coming from the # client. If connection-based authentication is in use (e.g., using # TLS client certificate authentication), the proxy treats this # malicious request as authenticated. HTTP/1.1 200 OK Content-Length: 0
Parser Exploits A related category of attacks use protocol disagreement to exploit vulnerabilities in the server's request parsing logic. These attacks apply when the HTTP client is trusted by the server, but the post-transition data source is not. If the server software was developed under the assumption that some or all of the HTTP request data is not attacker-controlled, optimistic transmission can cause this assumption to be violated, exposing vulnerabilities in the server's HTTP request parser.
Operational Issues If the server rejects the transition request, the connection can continue to be used for HTTP/1.1. There is no general requirement to close the connection in response to a rejected transition, and keeping the connection open has performance advantages if additional HTTP requests to this server are likely. Thus, it is normally inappropriate to close the connection in response to a rejected transition.
Impact on HTTP Upgrade with Existing Upgrade Tokens This section describes the impact of this document's considerations on some registered upgrade tokens that are believed to be in use at the time of writing.
"TLS" The "TLS" family of upgrade tokens was defined in , which correctly highlights the possibility of the server rejecting the upgrade. If a client ignores this possibility and sends TLS data optimistically, the result cannot be valid HTTP/1.1: The first octet of a TLS connection must be 22 (ContentType.handshake), but this is not an allowed character in an HTTP/1.1 method (see and ). A compliant HTTP/1.1 server will treat this as a parsing error and close the connection without processing further requests.
"WebSocket"/"websocket" says:
Once the client's opening handshake has been sent, the client MUST wait for a response from the server before sending any further data.
Thus, optimistic use of HTTP Upgrade is already forbidden in the WebSocket protocol. Additionally, the WebSocket protocol requires high-entropy masking of client-to-server frames ().
"connect-udp" says:
A client MAY optimistically start sending UDP packets in HTTP Datagrams before receiving the response to its UDP proxying request.
However, in HTTP/1.1, this "proxying request" is an HTTP Upgrade request. This upgrade is likely to be rejected in certain circumstances, such as when the UDP destination address (which is attacker-controlled) is invalid. Additionally, the contents of the "connect-udp" protocol stream can include untrusted material (i.e., the UDP packets, which might come from other applications on the client device). This creates the possibility of Request Smuggling attacks. To avoid these concerns, this document replaces that text to exclude HTTP/1.1 from any optimistic sending, as follows:
A client MAY optimistically start sending UDP packets in HTTP Datagrams before receiving the response to its UDP proxying request but only if the HTTP version in use is HTTP/2 or later. Clients MUST NOT send UDP packets optimistically in HTTP/1.x due to the risk of Request Smuggling attacks.
"connect-ip" The "connect-ip" upgrade token is defined in . forbids clients from sending packets optimistically in HTTP/1.1, avoiding this issue.
Guidance for Future Upgrade Tokens There are now several good examples of designs that reduce or eliminate the security concerns discussed in this document and may be applicable in future specifications:
  • Forbid optimistic use of HTTP Upgrade ( and ).
  • Embed a fixed preamble that deliberately terminates HTTP/1.1 processing ().
  • Apply high-entropy masking of client-to-server data ().
Future specifications for upgrade tokens should account for the security issues discussed here and provide clear guidance on how implementations can avoid them.
Selection of Request Methods Some upgrade tokens, such as "TLS", are defined for use with any ordinary HTTP method. The upgraded protocol continues to provide HTTP semantics and will convey the response to this HTTP request. The other upgrade tokens mentioned in do not preserve HTTP semantics, so the method is not relevant. All of these upgrade tokens are specified only for GET requests with no content. Future specifications for upgrade tokens should restrict their use to GET requests with no content if the HTTP method is otherwise irrelevant and the request does not need to carry any message content. This improves consistency with other upgrade tokens and simplifies server implementation.
Requirements for HTTP CONNECT This document updates to include the remaining text of this section. The requirements in this section apply only to HTTP/1.1. Proxy clients that send CONNECT requests on behalf of untrusted TCP clients MUST do one or both of the following:
  1. Wait for a 2xx (Successful) response before forwarding any TCP payload data.
  2. Send a "Connection: close" request header.
Proxy clients that don't implement at least one of these two behaviors are vulnerable to a trivial Request Smuggling attack (). At the time of writing, some proxy clients are believed to be vulnerable as described. As a mitigation, proxy servers MUST close the underlying connection when rejecting a CONNECT request without processing any further requests on that connection. This requirement applies whether or not the request includes a "close" connection option. Note that this mitigation will frequently cause slower connection establishment for correctly implemented clients, especially when returning a 407 (Proxy Authentication Required) response. This performance loss can be avoided by using HTTP/2 or HTTP/3, which are not vulnerable to this attack. As a performance optimization, proxy servers MAY disable this mitigation if the client is known to wait for a 2xx (Successful) response before forwarding untrusted TCP payload data (i.e., complying with item 1 above). Proxy servers can identify compliant clients using the request's User-Agent header field and the user agent vendor's documentation regarding its compliance.
Security Considerations This document describes security considerations related to optimistic use of protocol transitions in HTTP/1.1.
IANA Considerations This document has no IANA actions.
References Normative References Proxying UDP in HTTP This document describes how to proxy UDP in HTTP, similar to how the HTTP CONNECT method allows proxying TCP in HTTP. More specifically, this document defines a protocol that allows an HTTP client to create a tunnel for UDP communications through an HTTP server that acts as a proxy. HTTP Semantics The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. HTTP/1.1 The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document specifies the HTTP/1.1 message syntax, message parsing, connection management, and related security concerns. This document obsoletes portions of RFC 7230. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Proxying IP in HTTP This document describes how to proxy IP packets in HTTP. This protocol is similar to UDP proxying in HTTP but allows transmitting arbitrary IP packets. More specifically, this document defines a protocol that allows an HTTP client to create an IP tunnel through an HTTP server that acts as an IP proxy. This document updates RFC 9298. HTTP/2 This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced latency by introducing field compression and allowing multiple concurrent exchanges on the same connection. This document obsoletes RFCs 7540 and 8740. HTTP/3 The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3. Hypertext Transfer Protocol (HTTP) Upgrade Token Registry IANA Upgrading to TLS Within HTTP/1.1 This memo explains how to use the Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing TCP connection. [STANDARDS-TRACK] The Transport Layer Security (TLS) Protocol Version 1.3 This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. The WebSocket Protocol The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code. The security model used for this is the origin-based security model commonly used by web browsers. The protocol consists of an opening handshake followed by basic message framing, layered over TCP. The goal of this technology is to provide a mechanism for browser-based applications that need two-way communication with servers that does not rely on opening multiple HTTP connections (e.g., using XMLHttpRequest or s and long polling). [STANDARDS-TRACK]
Acknowledgments This document benefited from valuable reviews and suggestions by:
Author's Address Meta Platforms, Inc.
ietf@bemasc.net