HTTP/1.1 Upgrade header
HTTP/1.1 introduced support for the Upgrade header field. In the exchange, the client begins by making a clear-text request, which is later upgraded to a newer http protocol version or switched to a different protocol. Connection upgrade must be requested by the client, if the server wants to enforce an upgrade it may send a "426 upgrade required" response. The client can then send a new request with the appropriate upgrade headers.
Use with TLS
One use is to begin a request on the normal http port but switch to Transport Layer Security (TLS).[1] In practice such use is rare with the https URL scheme being a far more common way to initiate encrypted http.
The server returns a 426 status-code to alert legacy clients that the failure was client-related (400 level codes indicate a client failure: List of HTTP status codes).
This method for establishing a secure connection is advantageous because it:
- Does not require messy and problematic redirection and URL rewriting on the server side.
- Enables virtual hosting of secured websites (although HTTPS also allows this using Server Name Indication).
- Reduces the potential for user confusion by providing a single way to access a particular resource.
A disadvantage of this method is that the client cannot specify the requirement for a secure HTTP in the URI. Therefore a man-in-the-middle may maintain an unencrypted and unauthenticated connection with the client while maintaining an encrypted connection with the server.
Use with websockets
WebSocket also uses this mechanism to set up a WebSocket connection with a HTTP server in a compatible way.
