The Upgrade header field is an HTTP header field introduced in HTTP/1.1. In the exchange, the client begins by making a cleartext request, which is later upgraded to a newer HTTP protocol version or switched to a different protocol. Connection upgrade must be requested by the client; if the server wants to enforce an upgrade it may send a
426 Upgrade Required response. The client can then send a new request with the appropriate upgrade headers while keeping the connection open.
The server returns a
426 status code to alert legacy clients that the failure was client-related (
400 level codes indicate a client failure).
This method for establishing a secure connection is advantageous because it:
If the same resources are available from the server via both encrypted secure means and unencrypted clear means, a man-in-the-middle may maintain an unencrypted and unauthenticated connection with the client while maintaining an encrypted connection with the server.
Disadvantages of this method include:
WebSocket also uses this mechanism to set up a connection with a HTTP server in a compatible way. The WebSocket Protocol has two parts: a handshake to establish the upgraded connection, then the actual data transfer. First, a client requests a WebSocket connection by using the
Upgrade: WebSocket and
Connection: Upgrade headers, along with a few protocol-specific headers to establish the version being used and set up a handshake. The server, if it supports the protocol, replies with the same
Upgrade: WebSocket and
Connection: Upgrade headers and completes the handshake. Once the handshake is completed successfully, data transfer begins.
The HTTP Upgrade mechanism is used to establish HTTP/2 starting from plain HTTP. The client starts a HTTP/1.1 connection and sends "Upgrade: h2c" header. If the server supports HTTP/2, it replies with HTTP 101 Switching Protocol status code. The HTTP Upgrade mechanism is used only for cleartext HTTP2 (h2c). In the case of HTTP2 over TLS (h2), the ALPN TLS protocol extension is used instead.
Manage research, learning and skills at defaultlogic.com. Create an account using LinkedIn to manage and organize your omni-channel knowledge. defaultlogic.com is like a shopping cart for information -- helping you to save, discuss and share.