<?xmlversion='1.0' encoding='utf-8'?>version="1.0" encoding="UTF-8"?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.5.6 --><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-httpbis-cache-header-10"category="std"number="9211" obsoletes="" updates="" submissionType="IETF" category="std" consensus="true" tocInclude="true" sortRefs="true" symRefs="true" xml:lang="en" version="3"> <!-- xml2rfc v2v3 conversion 3.9.1 --> <front> <title abbrev="Cache-Status Header">The Cache-Status HTTP Response Header Field</title> <seriesInfoname="Internet-Draft" value="draft-ietf-httpbis-cache-header-10"/>name="RFC" value="9211"/> <author initials="M." surname="Nottingham" fullname="Mark Nottingham"> <organization>Fastly</organization> <address> <postal><city>Prahran</city> <region>VIC</region> <country>Australia</country><postalLine>Prahran</postalLine> <postalLine>Australia</postalLine> </postal> <email>mnot@mnot.net</email> <uri>https://www.mnot.net/</uri> </address> </author><date/><date year="2022" month="June" /> <area>Applications and Real-Time</area> <workgroup>HTTP</workgroup> <keyword>http</keyword> <keyword>cache</keyword> <keyword>debugging</keyword> <keyword>x-cache</keyword> <abstract> <t>To aid debugging, HTTP caches often append header fields to aresponseresponse, explaining how they handled the request in an ad hoc manner. This specification defines a standard mechanism to do so that is aligned with HTTP's caching model.</t> </abstract><note> <name>Note to Readers</name> <t><em>RFC EDITOR: please remove this section before publication</em></t> <t>Discussion of this draft takes place on the HTTP working group mailing list (ietf-http-wg@w3.org), which is archived at <eref target="https://lists.w3.org/Archives/Public/ietf-http-wg/">https://lists.w3.org/Archives/Public/ietf-http-wg/</eref>.</t> <t>Working Group information can be found at <eref target="https://httpwg.org/">https://httpwg.org/</eref>; source code and issues list for this draft can be found at <eref target="https://github.com/httpwg/http-extensions/labels/cache-header">https://github.com/httpwg/http-extensions/labels/cache-header</eref>.</t> </note></front> <middle> <section anchor="introduction" numbered="true" toc="default"> <name>Introduction</name> <t>To aid debugging (both by humans and automated tools), HTTP caches often append header fields to a response explaining how they handled the request. Unfortunately, the semantics of theseheadersheader fields are often unclear, and both the semantics and syntax used vary between implementations.</t> <t>This specification defines a new HTTP response header field,"Cache-Status""Cache-Status", for thispurpose,purpose with standardized syntax and semantics.</t> <section anchor="notational-conventions" numbered="true" toc="default"> <name>Notational Conventions</name><t>The<t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xreftarget="RFC2119" format="default"/>target="RFC2119"/> <xreftarget="RFC8174" format="default"/>target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> <t>This document usesABNF as defined in <xref target="RFC5234" format="default"/>, with rules prefixed with "sf-" andthe"key" rule as defined infollowing terminology from <xreftarget="STRUCTURED-FIELDS" format="default"/>. Itsection="3" sectionFormat="of" target="STRUCTURED-FIELDS"/> to specify syntax and parsing: List, String, Token, Integer, and Boolean.</t> <t>This document also uses terminology from <xreftarget="HTTP" format="default"/>target="HTTP"/> and <xreftarget="HTTP-CACHING" format="default"/>.</t>target="HTTP-CACHING"/>.</t> </section> </section> <section anchor="field" numbered="true" toc="default"> <name>The Cache-Status HTTP Response Header Field</name> <t>The Cache-Status HTTP response header field indicates how caches have handled that response and its corresponding request. The syntax of this header field conforms to <xref target="STRUCTURED-FIELDS" format="default"/>.</t> <t>Its value is aList (<xref section="3.1" sectionFormat="comma" target="STRUCTURED-FIELDS" format="default"/>):</t> <sourcecode type="abnf"><![CDATA[ Cache-Status = sf-list ]]></sourcecode> <t>EachList. Each member of thelistList represents a cache that has handled the request. The first memberof the listrepresents the cache closest to the origin server, and the last memberof the listrepresents the cache closest to the user (possibly including the user agent's cacheitself,itself if it appends a value).</t> <t>Caches determine when it is appropriate to add the Cache-Status header field to a response. Some might add it to all responses, whereas others might only do so when specifically configured to, or when the request contains a header field that activates a debugging mode. See <xref target="security" format="default"/> for related security considerations.</t> <t>An intermediarySHOULD NOT<bcp14>SHOULD NOT</bcp14> append a Cache-Status member to responses that it generates locally, even if that intermediary contains a cache, unless the generated response is based upon a stored response (e.g., 304Not Modified(Not Modified) and 206Partial Content(Partial Content) are both based upon a stored response). For example, a proxy generating a 400 response due to a malformed request will not add a Cache-Status value, because that response was generated by the proxy, not the origin server.</t> <t>When adding a value to the Cache-Status header field, cachesSHOULD<bcp14>SHOULD</bcp14> preserve the existing field value, to allow debugging of the entire chain of caches handling the request.</t> <t>EachlistList member identifies the cache that inserteditit, and this identifierMUST<bcp14>MUST</bcp14> be a String or Token. Depending on the deployment, this might be a product or service name (e.g.,ExampleCache"ExampleCache" or "Example CDN"), a hostname ("cache-3.example.com"), an IP address, or a generated string.</t> <t>Each member of the list can have parameters that describe that cache's handling of the request. While these parameters areOPTIONAL,<bcp14>OPTIONAL</bcp14>, caches are encouraged to provide as much information as possible.</t> <t>This specification defines the followingparameters:</t> <sourcecode type="abnf"><![CDATA[ hit = sf-boolean fwd = sf-token fwd-status = sf-integer ttl = sf-integer stored = sf-boolean collapsed = sf-boolean key = sf-string detail = sf-token / sf-string ]]></sourcecode>parameters.</t> <section anchor="the-hit-parameter" numbered="true" toc="default"> <name>The hitparameter</name> <t>"hit",Parameter</name> <t>The value of "hit" is a Boolean that, when true, indicates that the request was satisfied by the cache;i.e.,that is, it was not forwarded, and the response was obtained from the cache.</t> <t>A response that was originally produced by the origin but was modified by the cache (for example, a 304 or 206 status code) is still considered a hit, as long as it did not go forward (e.g., for validation).</t> <t>A response that was in cache but not able to be used without going forward (e.g., because it wasstale,stale or partial) is not considered a hit. Note that a stale response that is used without going forward (e.g., because the origin server is not available) can be considered a hit.</t> <t>"hit" and "fwd" are exclusive; only one of them should appear on each list member.</t> </section> <section anchor="the-fwd-parameter" numbered="true" toc="default"> <name>The fwdparameter</name> <t>"fwd"Parameter</name> <t>"fwd", when present, indicates that the request went forward towards theorigin, andorigin; its value is a Token that indicates why.</t> <t>The following parameter values are defined to explain why the request went forward, from most specific to least:</t><ul<dl spacing="normal"><li>bypass - The<dt>bypass:</dt> <dd>The cache was configured to not handle thisrequest</li> <li>method - Therequest.</dd> <dt>method:</dt> <dd>The request method's semantics require the request to beforwarded</li> <li>uri-miss - Theforwarded.</dd> <dt>uri-miss:</dt> <dd>The cache did not contain any responses that matched the requestURI</li> <li>vary-miss - TheURI.</dd> <dt>vary-miss:</dt> <dd>The cache contained a response that matched the request URI, but it could not select a response based upon this request'sheadersheader fields and stored Varyheaders.</li> <li>miss - Theheader fields.</dd> <dt>miss:</dt> <dd>The cache did not contain any responses that could be used to satisfy this request (to be used when an implementation cannot distinguish between uri-miss andvary-miss)</li> <li>request - Thevary-miss).</dd> <dt>request:</dt> <dd>The cache was able to select a fresh response for the request, but the request's semantics (e.g., Cache-Control request directives) did not allow itsuse</li> <li>stale - Theuse.</dd> <dt>stale:</dt> <dd>The cache was able to select a response for the request, but it wasstale</li> <li>partial - Thestale.</dd> <dt>partial:</dt> <dd>The cache was able to select a partial response for the request, but it did not contain all of the requested ranges (or the request was for the completeresponse)</li> </ul>response).</dd> </dl> <t>The most specific reasonthatknown to the cacheis aware of SHOULD<bcp14>SHOULD</bcp14> be used, to the extent that it is possible to implement. See also <xref section="4" sectionFormat="comma" target="HTTP-CACHING" format="default"/>.</t> </section> <section anchor="the-fwd-status-parameter" numbered="true" toc="default"> <name>The fwd-statusparameter</name> <t>"fwd-status"Parameter</name> <t>The value of "fwd-status" is an Integer that indicateswhatwhich status code (see <xref section="15" sectionFormat="comma"target="HTTP" format="default"/>)target="HTTP"/>) thenext hopnext-hop server returned in response to the forwarded request.OnlyThe fwd-status parameter is only meaningful when"fwd"fwd ispresent; if "fwd-status"present. If fwd-status is not present but"fwd"the fwd parameter is, it defaults to the status code sent in the response.</t> <t>This parameter is useful to distinguish cases when thenext hopnext-hop server sends a 304Not Modified(Not Modified) response to a conditionalrequest,request or a 206Partial Response(Partial Content) response because of a range request.</t> </section> <section anchor="the-ttl-parameter" numbered="true" toc="default"> <name>The ttlparameter</name> <t>"ttl"Parameter</name> <t>The value of "ttl" is an Integer that indicates the response's remaining freshness lifetime (see <xref section="4.2.1" sectionFormat="comma"target="HTTP-CACHING" format="default"/>)target="HTTP-CACHING"/>) as calculated by the cache, as an integer number of seconds, measured as closely as possible to when the response header section is sent by the cache. This includes freshness assigned by thecache; e.g., throughcache through, for example, heuristics (see <xref section="4.2.2" sectionFormat="comma"target="HTTP-CACHING" format="default"/>),target="HTTP-CACHING"/>), local configuration, or other factors.MayIt may be negative, to indicate staleness.</t> </section> <section anchor="the-stored-parameter" numbered="true" toc="default"> <name>The storedparameter</name> <t>"stored"Parameter</name> <t>The value of "stored" is a Boolean that indicates whether the cache stored the response (see <xref section="3" sectionFormat="comma"target="HTTP-CACHING" format="default"/>);target="HTTP-CACHING"/>); a true value indicates that it did.OnlyThe stored parameter is only meaningful when fwd is present.</t> </section> <section anchor="the-collapsed-parameter" numbered="true" toc="default"> <name>The collapsedparameter</name> <t>"collapsed"Parameter</name> <t>The value of "collapsed" is a Boolean that indicates whether this request was collapsed together with one or more other forward requests (see <xref section="4" sectionFormat="comma"target="HTTP-CACHING" format="default"/>); iftarget="HTTP-CACHING"/>). If true, the response was successfully reused; if not, a new request had to be made. If not present, the request was not collapsed with others.OnlyThe collapsed parameter is only meaningful when fwd is present.</t> </section> <section anchor="the-key-parameter" numbered="true" toc="default"> <name>The keyparameter</name> <t>"key"Parameter</name> <t>The value of "key" is a String that conveys a representation of the cache key (see <xref section="2" sectionFormat="comma"target="HTTP-CACHING" format="default"/>)target="HTTP-CACHING"/>) used for the response. Note that this may beimplementation-specific.</t>implementation specific.</t> </section> <section anchor="the-detail-parameter" numbered="true" toc="default"> <name>The detailparameter</name> <t>"detail"Parameter</name> <t>The value of "detail" is either a String or a Token that allows implementations to convey additional information not captured in otherparameters; for example,parameters, such as implementation-specificstates,states or other caching-related metrics.</t> <t>For example:</t> <sourcecode type="http-message"><![CDATA[ Cache-Status: ExampleCache; hit; detail=MEMORY ]]></sourcecode> <t>The semantics of a detail parameter are always specific to the cache that sent it; even if amember ofdetails parameter from another cache shares the samename,value, it might not mean the same thing.</t> <t>This parameter is intentionally limited. If an implementation's developer or operator needs to convey additional information in an interoperable fashion, they are encouraged to register extension parameters (see <xref target="register" format="default"/>) or define another header field.</t> </section> </section> <section anchor="examples" numbered="true" toc="default"> <name>Examples</name> <t>Themostfollowing is an example of a minimal cache hit:</t> <sourcecode type="http-message"><![CDATA[ Cache-Status: ExampleCache; hit ]]></sourcecode><t>... but<t>However, a polite cache will give some more information, e.g.:</t> <sourcecode type="http-message"><![CDATA[ Cache-Status: ExampleCache; hit; ttl=376 ]]></sourcecode> <t>A stale hit just has negativefreshness:</t>freshness, as in this example:</t> <sourcecode type="http-message"><![CDATA[ Cache-Status: ExampleCache; hit; ttl=-412 ]]></sourcecode> <t>Whereas this is an example of a completemiss is:</t>miss:</t> <sourcecode type="http-message"><![CDATA[ Cache-Status: ExampleCache; fwd=uri-miss ]]></sourcecode><t>A<t>This is an example of a miss that successfully validated on theback-endbackend server:</t> <sourcecode type="http-message"><![CDATA[ Cache-Status: ExampleCache; fwd=stale; fwd-status=304 ]]></sourcecode><t>A<t>This is an example of a miss that was collapsed with another request:</t> <sourcecode type="http-message"><![CDATA[ Cache-Status: ExampleCache; fwd=uri-miss; collapsed ]]></sourcecode><t>A<t>This is an example of a miss that the cache attempted to collapse, but couldn't:</t> <sourcecode type="http-message"><![CDATA[ Cache-Status: ExampleCache; fwd=uri-miss; collapsed=?0 ]]></sourcecode><t>Going<t>The following is an example of going through two separate layers of caching, where the cache closest to the origin responded to an earlier request with a stored response, and a second cache stored that response and later reused it to satisfy the current request:</t> <sourcecode type="http-message"><![CDATA[ Cache-Status: OriginCache; hit; ttl=1100, "CDN Company Here"; hit; ttl=545 ]]></sourcecode><t>Going<t>The following is an example of going through a three-layer caching system, where the closest to the origin is a reverse proxy (where the response was served fromcache),cache); the next is a forward proxy interposed by the network (where the request was forwarded because there wasn't any response cached with its URI, the request was collapsed with others, and the resulting response wasstored),stored); and the closest to the user is a browser cache (where there wasn't any response cached with the request's URI):</t> <sourcecode type="http-message"><![CDATA[ Cache-Status: ReverseProxyCache; hit Cache-Status: ForwardProxyCache; fwd=uri-miss; collapsed; stored Cache-Status: BrowserCache; fwd=uri-miss ]]></sourcecode> </section> <section anchor="register" numbered="true" toc="default"> <name>Defining New Cache-Status Parameters</name> <t>New Cache-StatusParametersparameters can be defined by registering them in theHTTP Cache-Status Parameters"HTTP Cache-Status" registry.</t> <t>Registration requests are reviewed and approved by aDesignated Expert, asdesignated expert, per <xref section="4.5" sectionFormat="comma" target="RFC8126" format="default"/>. A specification document isappreciated,appreciated but not required.</t> <t>TheExpert(s)expert(s) should consider the following factors when evaluating requests:</t> <ul spacing="normal"> <li>Community feedback</li> <li>If the value is sufficientlywell-defined</li>well defined</li> <li>Generic parameters are preferred over vendor-specific, application-specific, or deployment-specific values. If a generic value cannot be agreed upon in the community, the parameter's name should be correspondingly specific (e.g., with a prefix that identifies the vendor,applicationapplication, or deployment).</li> </ul> <t>Registration requests should use the following template:</t><ul<dl spacing="normal"><li>Name: [a<dt>Name:</dt> <dd>[a name for the Cache-StatusParameter that matchesparameter's key; see <xref section="3.1.2" sectionFormat="of" target="STRUCTURED-FIELDS"/> for syntactic requirements]</dd> <dt>Type:</dt><dd>[the Structured Type of the'key' ABNF rule]</li> <li>Description: [aparameter's value; see <xref section="3.1.2" sectionFormat="of" target="STRUCTURED-FIELDS"/>]</dd> <dt>Description:</dt> <dd>[a description of theparameter semantics and value]</li> <li>Reference: [toparameter's semantics]</dd> <dt>Reference:</dt> <dd>[to a specification defining this parameter, ifavailable]</li> </ul>available]</dd> </dl> <t>See the registry at <ereftarget="https://iana.org/assignments/http-cache-status">https://iana.org/assignments/http-cache-status</eref>brackets="angle" target="https://www.iana.org/assignments/http-cache-status"></eref> for details on where to send registration requests.</t> </section> <section anchor="iana-considerations" numbered="true" toc="default"> <name>IANA Considerations</name><t>Upon publication, please create<t>IANA has created theHTTP Cache-Status Parameters"HTTP Cache-Status" registry at <ereftarget="https://iana.org/assignments/http-cache-status">https://iana.org/assignments/http-cache-status</eref>brackets="angle" target="https://www.iana.org/assignments/http-cache-status"></eref> andpopulatepopulated it with the types defined in <xref target="field" format="default"/>; see <xref target="register" format="default"/> for its associated procedures.</t><t>Also, please create<t>IANA has added the following entry in theHypertext"Hypertext Transfer Protocol (HTTP) Field NameRegistryRegistry" defined in <xref section="18.4" sectionFormat="comma" target="HTTP" format="default"/>:</t><ul spacing="normal"> <li>Field name: Cache-Status</li> <li>Status: permanent</li> <li>Specification document: [this document]</li> <li>Comments:</li> </ul><dl spacing="compact"> <dt>Field name:</dt> <dd>Cache-Status</dd> <dt>Status:</dt> <dd>permanent</dd> <dt>Reference:</dt> <dd>RFC 9211</dd> </dl> </section> <section anchor="security" numbered="true" toc="default"> <name>Security Considerations</name> <t>Attackers can use the information in Cache-Status to probe thebehaviourbehavior of the cache (and othercomponents),components) and infer the activity of those using the cache. The Cache-Status header field may not create these risks on its own, but it can assist attackers in exploiting them.</t> <t>For example, knowing if a cache has stored a response can help an attacker execute a timing attack on sensitive data.</t> <t>Additionally, exposing the cache key can help an attacker understand modifications to the cache key, which may assist cache poisoning attacks. See <xref target="ENTANGLE" format="default"/> for details.</t> <t>The underlying risks can be mitigated with a variety of techniques (e.g.,use ofusing encryption andauthentication;authentication and avoiding the inclusion of attacker-controlled data in the cache key), depending on their exact nature. Note that merely obfuscating the key does not mitigate this risk.</t> <t>To avoid assisting such attacks, the Cache-Status header field can be omitted, only sent when the client is authorized to receive it, oronly sendsent with sensitive information (e.g., the key parameter) only when the client is authorized.</t> </section> </middle> <back> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/> <referenceanchor="RFC2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author fullname="S. Bradner" initials="S." surname="Bradner"> <organization/> </author> <date month="March" year="1997"/> <abstract> <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> <reference anchor="RFC8126"> <front> <title>Guidelines for Writing an IANA Considerations Section in RFCs</title> <author fullname="M. Cotton" initials="M." surname="Cotton"> <organization/> </author> <author fullname="B. Leiba" initials="B." surname="Leiba"> <organization/> </author> <author fullname="T. Narten" initials="T." surname="Narten"> <organization/> </author> <date month="June" year="2017"/> <abstract> <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t> <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t> <t>This is the third edition of this document; it obsoletes RFC 5226.</t> </abstract> </front> <seriesInfo name="BCP" value="26"/> <seriesInfo name="RFC" value="8126"/> <seriesInfo name="DOI" value="10.17487/RFC8126"/> </reference> <reference anchor="STRUCTURED-FIELDS">anchor="STRUCTURED-FIELDS" target="https://www.rfc-editor.org/info/rfc8941"> <front> <title>Structured Field Values for HTTP</title> <author fullname="M. Nottingham" initials="M." surname="Nottingham"> <organization/> </author> <author fullname="P-H. Kamp" initials="P-H." surname="Kamp"> <organization/> </author> <date month="February" year="2021"/><abstract> <t>This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields that wish to use a common syntax that is more restrictive than traditional HTTP field values.</t> </abstract></front> <seriesInfo name="RFC" value="8941"/> <seriesInfo name="DOI" value="10.17487/RFC8941"/> </reference><reference anchor="HTTP"> <front> <title>HTTP Semantics</title> <author fullname="Roy T. Fielding"> <organization>Adobe</organization> </author> <author fullname="Mark Nottingham"> <organization>Fastly</organization> </author> <author fullname="Julian Reschke"> <organization>greenbytes GmbH</organization> </author> <date day="25" month="July" year="2021"/> <abstract> <t> The Hypertext Transfer Protocol (HTTP) is a stateless application- level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This<!-- [HTTP] [I.D.ietf-httpbis-semantics] in AUTH48; companion documentupdates RFC 3864 and obsoletes RFC 2818, RFC 7231,RFC7232, RFC 7233, RFC 7235, RFC 7538, RFC 7615, RFC 7694, and portions of RFC 7230. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-semantics-17"/> </reference>9110 --> <referenceanchor="HTTP-CACHING">anchor='HTTP' target="https://www.rfc-editor.org/info/rfc9110"> <front> <title>HTTPCaching</title> <author fullname="Roy T. Fielding"> <organization>Adobe</organization> </author>Semantics</title> <authorfullname="Mark Nottingham"> <organization>Fastly</organization>initials='R' surname='Fielding' fullname='Roy Fielding' role="editor"> <organization /> </author> <authorfullname="Julian Reschke"> <organization>greenbytes GmbH</organization>initials='M' surname='Nottingham' fullname='Mark Nottingham' role="editor"> <organization /> </author><date day="25" month="July" year="2021"/> <abstract> <t> The Hypertext Transfer Protocol (HTTP) is a stateless application- level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages. This document obsoletes RFC 7234. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-cache-17"/> </reference> <reference anchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title><authorfullname="B. Leiba" initials="B." surname="Leiba"> <organization/>initials='J' surname='Reschke' fullname='Julian Reschke' role="editor"> <organization /> </author> <datemonth="May" year="2017"/> <abstract> <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract>year='2022' month='June' /> </front> <seriesInfoname="BCP" value="14"/>name="STD" value="97"/> <seriesInfo name="RFC"value="8174"/>value="9110"/> <seriesInfo name="DOI"value="10.17487/RFC8174"/>value="10.17487/RFC9110"/> </reference> <!-- [HTTP-CACHING] [I.D.ietf-httpbis-cache] in AUTH48; companion document RFC 9111 --> <referenceanchor="RFC5234">anchor='HTTP-CACHING' target="https://www.rfc-editor.org/info/rfc9111"> <front><title>Augmented BNF for Syntax Specifications: ABNF</title><title>HTTP Caching</title> <authorfullname="D. Crocker" initials="D." role="editor" surname="Crocker"> <organization/>initials='R' surname='Fielding' fullname='Roy Fielding' role="editor"> <organization /> </author> <authorfullname="P. Overell" initials="P." surname="Overell"> <organization/>initials='M' surname='Nottingham' fullname='Mark Nottingham' role="editor"> <organization /> </author> <author initials='J' surname='Reschke' fullname='Julian Reschke' role="editor"> <organization /> </author> <datemonth="January" year="2008"/> <abstract> <t>Internet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK]</t> </abstract>year='2022' month='June' /> </front> <seriesInfo name="STD"value="68"/>value="98"/> <seriesInfo name="RFC"value="5234"/>value="9111"/> <seriesInfo name="DOI"value="10.17487/RFC5234"/>value="10.17487/RFC9111"/> </reference> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references> <references> <name>Informative References</name> <reference anchor="ENTANGLE"target="https://i.blackhat.com/USA-20/Wednesday/us-20-Kettle-Web-Cache-Entanglement-Novel-Pathways-To-Poisoning-wp.pdf">target="https://portswigger.net/research/web-cache-entanglement"> <front> <title>Web Cache Entanglement: Novel Pathways to Poisoning</title> <author initials="J." surname="Kettle" fullname="James Kettle"> <organization>PortSwigger</organization> </author> <date month="September" year="2020"/> </front> </reference> </references> </references> </back><!-- ##markdown-source: H4sIAOxoHGEAA7VbaXMbR5L93r+iFvog0gGAh2SPDa5mhyYpi7MSxSWpcUzs TDgK3QWgRo0uTFc3IYyC/u37MrOqD/CQrd1lKESgu448Xx5VHI1GSWWr3EzU zcKoE50uzOi60lXt1Zubm0t1ZfzKFd6oN0ZnplSvrcmzRE+npbmdbI3nEUnm 0kIvsWBW6lk1sqaajRZVtZpaP0p5/IIHjg72k0xXGPj59Pjm7C5J8WXuys1E +SpLErsqJ6oqa18d7u//sH+Y6NLoiTperXKLoRZUKV1koFDnoxu7NMnalR/n patXE6Y9+Wg2eJRNkpEiAvCL98fvzEzr+dwWc3z+JFQlydxWi3o6st7XZpTr qcknqktwkvgKG/6ic1eA6o3xiV/qsvrln7WrjJ+owiWJrquFKyeJGiUKP7bA 83djdeGqCtst9JIfi4De6fLj9htXznVh/8X8TdRr7at8wy9SW0Eyl6VelLrg J6WZ86C/nJ/ICFcXFYnvGDIrdW41PzZLbcHJsnDVn+i/cWEqflGXdsKC8ZO9 vfV6PY5v95KkcOUSNNwacKKuXp8cHhz8ED5+f3D4HX28vrn6cHLz4ersdPT6 /Ozt6fWE3/7w8gAvSf4TdT46Hff070FMUdnUhyGjk+OTN+cXPz0wNCjFFrMu KWcXN8cXP709mzAHlS7npmqZsONprtOPC12NU7fc+3B9PDrc3/vZZIXxmd7s 1R7fR/9pKhj86GczHYn9nhXQ6zw3S1NUowt3a/LRpa4Wa73xoxs3unTWuwI6 Gq1X41U2k63FaQZYRbxAdVeZKF5GxWVU5VSzzIAXENM/3D/c56+N3eBHTCcY z5/HSggOD8V0/oz/ff9F33IuXVldr+18TnabjEYjpadkFWmVJDdOaZu1TjAU V2eJe+VmlSmUXq0MnEssX83I65kLDbMLiGA+rXJtiSO1cGtVLcxGLeAgucno Cwb+sza+AhvwU6WxmEsV9F+Ycgy0sV75lUntLHgz6JlZKApbsJ/pMlNLk2JF 65e0deaUd1hZY0mMyu28wE5reC3T/9wzB0TO0mUmHwe+YdTmlwv6r3K/XDE/ Pkm+ga2qs9Pzm/dXE7XKjfZE8BJaww5EmkmZqKmB/Rm1qqcRdb5JklPr09p7 eu9mMp7BDgb5EQxALKlReElSYNESMhFhjE6KHJK+5RbS2WmsfrSe/2n9Ygw9 7g7VemHTBfNZgqdbMAq2/z0aOs30Yxm8dywj/N4lE7nXXXDvjxDDz2H3n3j3 xqNAYKqJQzUDcvQ3oN/rOS//xyOIvS7BUQqxMuQyRHqhH4t1JfDoioKu7Jey OP8amU+wNpKk32PI9XtdyCXqSYdLm8GskuSZOgfEuaxm5dy3ZLUzdTCHKQyx hqVJgIBrOfBLVulc7nf/f819rD6QgKu6wJb5ZsjvGtwTezFYTrYi/ZpAQ12k sMNyyEQzH/2p9NhvgDKfVO2x6a0uN5B1tTaYbJcrgR6JjJDbkx5WmLVIoWGv y/pQDbqRfdAqeVWXK+fNUNwu+qn9l2lIYyojzeSDz55RjGMCdK5OXHELKolG ItEoBGlyD4h78O7D9c1gKL/VxXv+fHX2Xx/OEWPo8/Wb47dvmw9xxPWb9x/e nraf2pkn79+9O7s4lcl4qrYevTv+60CkPXh/eXP+/uL47YDQSszZpTXJkxUE S4BR26Iy5ao0ZEoaI4xPSzvFF8z58eRSHbxUnz//W4iWd3fhy/cHf3iJL+uF KWQzV+Sb8JWNiGxPlwyTeQ6zXNlK535IW3hYWgHVlCYqtCELJuDV8Y8Xr4UU UiwTIpt+e/gCmwY1lXVOqFRi0KeImAM/Gw2YHDKyAbQw4HH3V7sX5+/uxuo8 EACBLG3hcjffqFnpljSB7AoM09rhWwzzmEkG8XtSTfX5GZvknVjL/VkPGjBI z8joQSH5anD1hQa6ty4LdGomM6pViCCulGcZ+Xnj0rR1sO8I+L3tUsegypDx +fNDEkuScyx/q/PaMKqrtwz+DwwequsQe16MD+7udidJ8uuvvyJ8F7Okx75S rxS0SChMI5LkDG8RMpdT0CU4IxBdGujew2hoX5aFcL/Q/mEEI3ZntsTUp1ej Z7JemgMV8LJy/NCVFnAMHChvTQA0nq+/fkmYW6l2AD7eTuE/FmBZs5Kal3qO FUIWYEibJp8NlZ3hY8B34p9VsAt9nIhRZEZs2LBL0lhSz2pVulVpYUEcBTKh vyf+ngH0QsVYXbulQdCaLyqea5kL8u44xFOEh1tDAwB6igMymrFBEh0mp8Hv HM/Jyuy8LjmSDSFkGdPNtTCkQpAiRvv0kb6R/NlbdgrdCZmULIFiY2C5yHpQ FVQbuC9BfmlyjpvxMS3vLVZtgsxxIai4NJmlcNRCcAypui+1oH2IoxFFSOkq Bf3R0pRZOOZ4qMwt6WQWhnR36nDKCh8ifgLmxILiSlnr4dDqVFPYrPGdc0xX dt/vmPF8PFQv9l9SuFLvXAa5E9CDh8P975DKl5WVAFbFsCDJxhOr7o7Va8jR fNIUnuEIQGH3aRPpI/Fr9XJ/vyUjq8XikCTmBCm8mOh2bWFAyGbZpLbEylY9 RJBKNXxhC9zWsLJWIkiOSERMyJDXu+exlDOSZWEjIVFwK3jio14wjEAbrICd uuSMmtIneDqtJgYZCBa3AES39hiAgZIEiBj5v+Usu8Fw4FV0+whYAfoYS4KB wUqxAPbqQkqwIhBFgiBYYGCCaTTDS8XZB6K9VtdVyQSV6sZ9NMVYnRoyaX4m bpeZVe42FI+Hso54Mc9eSZ5K00kKFgk01W7R0M7EJqR2xJhBeKBOTi8Gu2Qq C+crmTGQnPjFOBgSZdE8plDnl6QlCNozIOiOoj2TP348LlCuzjFxpUvsUxEM sYhiZiPfePPnHdGHNZpw8fPC5iaktZ2lyENiXtWYBj00RYqCAnDNuAk53dqM E49lTTVPpz7Bs4D45umMluiZObIkIrAlohs8F1B488Ohc4p6wOgima2zrTcV KZyej3wv2BIEUUmNuntrRnwTEOCBXVLQp1deXvbeUA7cX010lyA4oVa8R5ja 64zh0P9MkipisWE+SQb4PhiGKFGSv7V5Eau2GzoIJTyk6hn2Akqw1o6UHRuY rJVBBBlQ0RqJv8na4N6DGzclcMY6nBQ2K1HEaAcyCTyawYdjnHhNS0DApWkt I5cRlrv0qZ1ZH2QJxPGEYDuoj0rXXYoBwCBKskMcI3wnoXGynTvCOk9sZigq ic25i5xGt6WdgF02Y/vbfYQhWwTKiG6G7Gkeqwiu3SgHdzVtwJDY3yOieJA3 WCC2sPFKYhAzQqtus8F9xkCGlnlbxGHib9//XlyI++pbWCWxtBvr/XuUBOOT 6gp+NBDP/4SszdtbmBRnOq4wAU2WVOvUCAyhGoJvmy1MHzdmTv7aNXNe/ynT poAdmawc/fId7sSG14vNWIqMB4BE4pXAVyyPoM7QE6C5j244FB9YAs0b8KK5 1HOqgE/fwJZXGonLiHkTuyG999I9lrsk6xJpwlaYDgIXLgvTIwXy8Lnv9A/o FYXULqFiko03YzUkeqOl3SIn+kNIuiCvzXb+BsTGyH7n78PVOVakPsX9JcNS bDB9G31kpSE7U8pGQrQgvUed1J3dycS6Inru22YLNScEoP9CSWR4PiYpfgXP Qkz0achS8HPT217tdP2e06rtdg15EW2VSYpUW79oGjuNPoj2RpS7oDiuv203 EWsaAc1A9qIVkzRzGtmKXDsPekYTIEFyPsp9S5c3O2cwJ6opjN9txCXpHNXS YBhUCgp9kcanqesiIdYMOPjlVePAL65+T9kIEv00hxJxXcyh+p3+GrxzXBeJ GRRbtbC7K5DS936q+9hIA06FihUMrKUdGDPoYDbDmHpzt7RqCibbpkc0ojEq Ked07qkb0W3AtL2Fl9yTaPE05jlbsBoed9F1TZt3wqra8Vw70j7t+gff3t3t Ms0FiEYuu4oxpDRVXYb2Uuv4LqRwAYja5PI9xYklsiQ4xqzOxYMC4nsV+gZH VCP26ZVIFd6zmuMkTmQA4rrOKx937jLEM2wsrENNH9LPNiJIKCWS6Gyi47mp 9iymUJpv8+9DI+JepdkVhiZLzGxomjbWyhl+txptemYxZsN2tBhqpzoKaqak tatffO+HzZbd5wRfy9DuZvwoqLbO7cxUdtnT+QO2NT7kzhUlU6jj0zrvFp6h Wid3leYBsmZV1LE68YY4h5Kgc8/Bj1ahXhDsQPcNvtP+6DcB4+kNH+SQ+jtb h7MnaSCB7ZY7BGE5U+onv4KA1aJ09XyBHYDIXrDxS0I4hBCG0sxoojkDPmuS Gz9qplMEJD9W7zR182Eucz7tZJ+PyhHkIyJbbYY41lWoPOo7q+FdWpQJ03pS e5KRF2DiCEZFBURsYPZTLcHPR1yVcrXWUVvy22qoy0Hz9GEmOlFVMqS4RuXm Moab25xWlgBdAlORckj+wuwv6Y5ZprYTF033qhtfpyl0AR5zygkIonk4EGcY DlcimQudhSRrqanPdj7r4tLwXiCRIBTZEm64Qfg7xUslZVew3OBP6fBl4znc hhmSf4RQJxZCU58UD5m1pDNtOI2dz7YAkX6IGHU/3RnFQNiSGwrdLsXyaCAJ hd8+4CKhCjvcpQpA2e0dsCT1qmIMoR4SG0LbGjhSvarxERI5MBjfcdhwyDyK zVGsVspRV6fVF/oOfMS5hKnouek17ye9/s8RlUxHQQiv3p29e3/1V6nrb7YP D/U9UXFNonO+ZtCtL7baXhLUsEtsqepOS0jW9FKp6KJlFLsvsL4EB0/NKOpI cQSVVhdJmWyyHVAtpOt0P1xa7pyypmDJuV1ayI9d4l5G/Jwa87cmdysiEP9W 1NTCh8KY7DcoX+4ccMOYp1LAmGm/YOyVU7d7jSi6T+OJ1OZMutvNCh4RB5EL gBypBRuRdbuhctQV1Ow7aeASUXVJEYHlC81/hbGIdYzHY85skOi6HMKMqTC1 OOaIIcrzOQTBYEc4Q45oX2WhyBhevfjDd7L7ccjtqen0j9rLeVIMX21Y/eqN Ri8PDmWnn8NRiW7zay6J7O9eHHD5KlZUkQteSnyki+uhy2Oy2Oyd6vTjyPDx NiVyX7M1C+yok2+/QhZ4n45+bOMgEC0sxIr/Dd9H7dr3t25RQ1eVWa7k2kQz o1OEF8//r6h49R/7QshPTjr7kmlVa6rkyAUrOjrckBeGgwC+tMQHaF88gwzH ucKGpq5SmdtWkEG62wc30hLSIRvdTp22T44pEJQhEQiHfW0nAITVZUno+5t1 955J3/aHg4P9/WGiej+Dk9MLdQKnoO7EG8hj0Jnw7ctvH5Krpk+Grjhu2nCm /AawtuxJ9UF5Wkkf4AA+HCKpnXZOP00iPwktYJbg7rCtiHidmJbJOnK/wvk2 Ay9MRVen+jv0qu5QLnZaliVvDuvsdWyEgOBM1J3gjtL2gg9mXr0WN2pGuRnQ 5ZPtYrcd99DRNfM7LZHKNKG15eo30Nxv0ID63S/b0ZWo6ZKk24kd/UGvRYjd QY/46VHgdGuBH4WpRxEWUfCUwiTJ7QKpce/88LKNsJ+fNcE1SZ4aGHrOsQ87 3TShOxwMLmP1zjdEHltGJpXU9b2Sj5I7NDUCpQiwdGvW4RyYrwXcypYaTFG5 yBHi7BOSDDlFoITl8+dwT7ZbDn5L92aOt8+v4nWecOkA72jBYXNwEJq2WWhN y0Y7fje2y2PjfesELFSVUiMYqtp01bnR4rnvDNxY1gWd68+QVVF4w8NzKQWa myq+noFaCxrp1pLJ81GQO8b+RGeNyDa3Dv3oppEpCSodNTyQb2aubDLqITEa L1N2nnI2FY9T2/xbGu+SJcrhZnwYu6Z02joHoIXWb1B9GpkTL29IhPPwoWqQ H59ddO78gMlm69D7DBFC7k+Fird/uiwc9hjrs7P7qI0FMuJxS6tBCr4UV1hT F3zp92//rYX2WHY9bNndLrrQ9xwl3XO5LEZ3vP72dyx5yme8K7ktTCtn7YNY D7bZe/8WIoufV7kiTSONZuq4b/XA+ax4Zbca4Gs5zSkSVkqoYSkQJ07Zuztq daH5Lqp0aEiiXq6PysG45FJ/ZLnEUsYVMZQ5brnFlfvylyT9/PjimC52dO62 JMkHMqbOvd9hvCacIhetzG/Hl69ihcS8citunXH7O8aAarMyW1f05ILcHeB5 q0RhgVCww2ZOkIVCbWoyFMV8fSf37iG+WjM09CcFDZxuCH0oet+UuvBQvULY qBwihNohWeyGS3tkr+oq8t8jdqtN/P345d0d27jMlOvtXZHiVYw02B1mCJLo 2YM4ymbYvSf594BzJOcJ6fo63mXq6xvRp7n8BLlUFdAwxpronFsFZk/vcpFh KgOnZqFvLUrLfmNlh29/Sm2NlM0RJz6kDVg7gDjf0iICeS4SCewfL7w0Dcyn 7qJRz4WbH40+6W679R/ZKcgc3LoIiTxdzIchIlfRDctgjc41na1iOO33Nobq YyHGwV2EUMY2eVD3MIdvmJh8xX8AEDbAMhB0RVdkKrvk+0X8hojzVHdz+YjK S5OBNuU93wb7hOywJwtuVj24S13QyR5dUA6XBtK2cdSbHu/ak9iCLOTdKv7B RljUx1ty8Y9QgoMFxAkRmvfNNxxsWeYhW1mCjzl7YIgnt7q0JqjZpIvCEiLF mBNa+UDWciOQHG6yLyjwCCtHQFBnmzuQ3NCOf5MQxTBK5ciOrniSSJvoGLmH +WVbt5osazpF/qGpedbt6S0BqHRsP53VPtXRPlgJmTPSvYyMhnYtZDCWi/pE bJAwFxx02SdIdng/nPXv14oMHdbm7IgvD3BHqzkCSHMb8yj+Uxq+k85dndSQ QVk5Pokzs46tdf16J3b7t1qou0/vFP/YhJOo/wG34Z20VTcAAA== --></rfc>