1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
|
---
title: HTTP
slug: Web/HTTP
tags:
- HTTP
- NeedsTranslation
- TopicStub
translation_of: Web/HTTP
---
<div>{{HTTPSidebar}}</div>
<p class="summary"><strong><dfn>Das Hypertext Transfer Protocol (HTTP)</dfn></strong> ist ein <a class="external" href="https://de.wikipedia.org/wiki/OSI-Modell#Schicht_7_.E2.80.93_Anwendungsschicht_.28Application_Layer.29">Anwendungsschicht</a>-Protokoll zum Transportieren von <a class="external" href="https://de.wikipedia.org/wiki/Hypermedia">Hypermedia</a> Dokumenten, wie zum Beispiel <a href="/de/docs/Web/HTML">HTML</a>. Hauptsächlich wird es zur Kommunikation zwischen Webservern und Webbrowsern verwendet, jedoch könnte es theoretisch auch für andere Zwecke benutzt werden. Es folgt einem klassischen <a class="external" href="https://de.wikipedia.org/wiki/Client-Server-Modell">Client-Server-Modell</a>, mit einem Client der die Verbindung eröffnet, indem er eine Anfrage macht und dann wartet, bis es eine Antwort erhält. Außerdem ist es ein <a class="external" href="https://de.wikipedia.org/wiki/Zustandslosigkeit">zustandsloses</a> <a class="external" href="https://de.wikipedia.org/wiki/Netzwerkprotokoll">Protokoll</a>, was bedeutet, dass der Server keine Daten (Zustände) zwischen zwei Anfragen behält.<br>
<br>
Obwohl oft auf einer TCP/IP Schicht aufgebaut, könnte es auch auf jede andere verlässliche, verbindungsorientierte <a class="external" href="https://de.wikipedia.org/wiki/OSI-Modell#Schicht_4_.E2.80.93_Transportschicht">Transportschicht</a> aufbauen, sofern sie Nachrichten nicht leise verliert, wie es zum Beispiel bei <a class="external" href="https://de.wikipedia.org/wiki/User_Datagram_Protocol">UDP</a> der Fall ist.</p>
<h2 class="Documentation" id="Dokumentation">Dokumentation</h2>
<dl>
<dt><a href="/de/docs/Web/HTTP/Headers">HTTP-Header</a></dt>
<dd>HTTP-Nachrichten-Header werden verwendet, um genau zu beschreiben, welche Ressource abgeholt wird oder das Verhalten des Servers oder des Clients. Benutzerdefinierte Header können mit dem ' X-' Präfix hinzugefügt werden; Andere sind in einer IANA-Registry aufgeführt, deren ursprünglicher Inhalt in <a href="https://tools.ietf.org/html/rfc4229">RFC 4229</a> definiert wurde. IANA unterhält auch eine <a href="https://www.iana.org/assignments/message-headers/message-headers.xhtml#prov-headers">Registry der vorgeschlagenen neuen HTTP-Nachrichten-Header</a>.</dd>
<dt><a href="/de/Web_Development/HTTP_cookies">HTTP-Cookies</a></dt>
<dd>Wie Cookies funktionieren, definiert der RFC 6265. Wenn ein Server eine HTTP-Anfrage erhält, kann er einen <code>Set-Cookie</code> Header mit der Antwort senden. Danach wird der Cookie-Wert zusammen mit jeder Anfrage an den gleichen Server in Form eines <code>Cookie</code> HTTP-Headers gesendet. Zusätzlich kann eine Verfallsverzögerung angegeben werden. Einschränkungen einer bestimmten Domäne und eines bestimmten Pfades können ebenfalls festgelegt werden.</dd>
</dl>
<dl>
<dt><a href="/de/docs/HTTP/Basic_access_authentication">Basic access authentication</a></dt>
<dd>Im Kontext einer HTTP-Transaktion ist <strong>basic access authentication</strong> eine Methode für einen <a href="/de/docs/Web/API/window.navigator.userAgent">HTTP user agent</a> einen Benutzernamen und ein Kennwort beim Stellen einer Anfrage zu übermitteln.</dd>
<dt><a href="/de/HTTP_Pipelining_FAQ">HTTP pipelining FAQ</a></dt>
<dd>HTTP/1.1 Pipelining FAQ</dd>
<dt><a href="/de/docs/HTTP/Access_control_CORS">HTTP access control (CORS)</a></dt>
<dd><strong>Cross-site HTTP requests</strong> sind <a href="/de/docs/HTTP">HTTP</a>-Anfragen nach Ressourcen auf einer <strong>anderen Domain</strong> als der Domain, auf der die Ressource liegt, die die Anfrage initiiert. Beispielsweise initiiert eine Ressource, wie eine Web-Seite, die von Domain A (<code>http://domaina.example</code>) geladen wird, eine Anfrage durch Verwendung des <code>img</code>-Elements (<code>http://domainb.foo/image.jpg</code>) nach einem Bild, das auf Domain B (http://domainb.foo) liegt. Dies tritt heutzutage sehr häufig auf — Seiten laden eine Vielzahl an Ressourcen mittels Cross-site-Verfahren, einschließlich CSS-Stylesheets, Bildern, Skripten und anderen Ressourcen.</dd>
<dt><a href="/de/Controlling_DNS_prefetching">Steuern des DNS prefetchings</a></dt>
<dd>Firefox 3.5 führt <strong>DNS prefetching</strong> durch. Dies ist eine Funktion durch die Firefox gezielt Domain-Namensauflösung betreibt, sowohl für Verknüpfungen, denen der Benutzer möglicherweise folgt, als auch für URLs von Objekten auf die im Dokument Bezug genommen wird, einschließlich Bildern, CSS, JavaScript und so weiter. Dieses Vorausladen wird im Hintergrund durchgeführt, so dass es wahrscheinlich ist, dass der DNS-Name bereits aufgelöst wurde, wenn er benötigt wird. Dies reduziert die Verzögerung wenn ein Benutzer tatsächlich eine Verknüpfung anklickt.</dd>
<dt><a href="/de/docs/HTTP/HTTP_response_codes">HTTP Antwort-Codes</a></dt>
<dd>HTTP Antwort-Codes zeigen an, ob eine bestimmte <a href="/de/docs/HTTP">HTTP</a>-Anfrage erfolgreich abgeschlossen wurde. Antworten werden in fünf Klassen zusammengefasst: Informationsantworten, Erfolgsantworten, Weiterleitungen, Client-Fehler und Server-Fehler.</dd>
</dl>
<h2 id="Die_kurze_Geschichte_zu_HTTP">Die kurze Geschichte zu HTTP</h2>
<p>Since its original conception, as a protocol with one single method (GET) and returning only HTML pages, the HTTP protocol went through several revisions. The first documented version was HTTP/0.9 in 1991, corresponding to the original version. Very simple, it has a rudimentary search capability via the HTML {{ HTMLElement("isindex") }} element and an extension of the URL using the '<code>?</code>' character.</p>
<p>Then, in 1992, a version was published that became, with some minor changes, HTTP/1.0 (finalized in <a class="external" href="https://tools.ietf.org/html/rfc1945">RFC 1945</a> in May 1996). One major improvement over the previous version was the ability to transmit files of different types, like images, videos, scripts, CSS documents, and so on, instead of only HTML files: this is achieved by using <a class="external" href="https://en.wikipedia.org/wiki/Mime_types">MIME types</a> in conjunction with the <code>Content-Type:</code> header.</p>
<p>In 1995, the <a class="external" href="https://www.ietf.org/">IETF</a> began developing a new version of HTTP, which would become HTTP/1.1. It quickly spread into wide usage, and it was officially standardized in 1997 in <a class="external" href="https://tools.ietf.org/html/rfc2068">RFC 2068</a>, with minor fixes in <a class="external" href="https://tools.ietf.org/html/rfc2616">RFC 2616</a> two years later.</p>
<p>HTTP/1.1 brought the ability to reuse established connections for subsequent requests, greatly improving the performance of the protocol by lowering the latency between them; this is especially useful with complex HTML documents that need to fetch several subsequent files, like images or style sheets. It also brought the <code>Host:</code> header, which allows a single server, listening on a specific port, to receive requests for several websites; this paved the way for colocating numerous websites on one single server, greatly reducing the cost of hosting.</p>
<p>Since then, the HTTP protocol evolved by adding new <a href="/de/HTTP/Headers">headers</a>, defining new behaviors without the need to fundamentally change the protocol. Unknown headers are simply ignored by servers or clients.</p>
<p>HTTP/1.1 is currently being revised by the <a class="external" href="https://tools.ietf.org/wg/httpbis/">IETF HTTPbis Working Group</a>.</p>
<h2 id="Eine_HTTP-Sitzung">Eine HTTP-Sitzung</h2>
<p>Because HTTP is a client-server protocol, an HTTP session consists of three phases:</p>
<ol>
<li>The client establishes a TCP connection (or the appropriate connection if the transport layer is not TCP).</li>
<li>The client sends its request and then waits for the answer.</li>
<li>The server processes the request and sends back its answer, containing a status code and the appropriate data.</li>
</ol>
<p>Starting with HTTP/1.1, the connection is no longer closed after the third phase, as the client is allowed to issue another request at this point: the second and third phases can therefore be done several times.</p>
<h3 id="Herstellen_einer_Verbindung">Herstellen einer Verbindung</h3>
<p>Because HTTP is a client-server protocol, it always is the client that establishes the connection. Opening a connection in HTTP really is establishing a connection in the underlying transport layer, usually TCP.</p>
<p>With TCP, the default port for an HTTP server on a computer is port 80, though others are often used, like 8000 or 8080. The URL of a page to fetch contains both the domain name and the port number, though the latter can be omitted if it is 80.</p>
<div class="note"><strong>Note:</strong> The client-server model does not allow the server to send data to the client without an explicit request of for it. To work around this problem, web developers use several techniques: pinging the server periodically via the <a href="/de/DOM/XMLHttpRequest">XMLHTTPRequest</a> Javascript object, using the HTML <a href="/de/WebSockets">WebSockets API</a>, or similar protocols.</div>
<h3 id="Senden_einer_Client-Anfrage">Senden einer Client-Anfrage</h3>
<p>Once the connection is established, the user-agent can send its request. (A user-agent is typically a web browser, but need not be.) A client request consists of text directives, separated by CRLF (carriage return, followed by line feed), divided in three blocks:</p>
<ol>
<li>The first line contains a request method followed by its parameters:
<ul>
<li>the path of the document, i.e., an absolute URL without the protocol and the domain name</li>
<li>the HTTP protocol version used</li>
</ul>
</li>
<li>The subsequent lines each represent a specific HTTP header, giving the server some information about what kind of data is appropriate (e.g., what language, what MIME types) or some data altering its behavior (e.g., not sending an answer if it is already cached). These HTTP headers form a block that ends with an empty line.</li>
<li>The final block is the optional data block, which contains further data and is mainly used by the POST method.</li>
</ol>
<h4 id="Beispiele_von_Anfragen">Beispiele von Anfragen</h4>
<ul>
<li>Fetching the root page of developer.mozilla.org, i.e. <a class="linkification-ext external" href="/">http://developer.mozilla.org/</a>, and telling the server that the user-agent would prefer the page in French, if possible:
<pre class="notranslate">GET / HTTP/1.1
Host: developer.mozilla.org
Accept-Language: fr
</pre>
<p>Note the final empty line, separating the data block from the headers block. As there is no <code>Content-Length:</code> HTTP header, the data block is empty and the server can process the request as soon as it receives the empty line marking the end of the headers.</p>
</li>
<li>Sending the result of a form:
<pre class="notranslate">POST /contact_form.php HTTP/1.1
Host: developer.mozilla.org
Content-Length: 64
Content-Type: application/x-www-form-urlencoded
name=Joe%20User&request=Send%20me%20one%20of%20your%20catalogue
</pre>
</li>
</ul>
<h3 id="Die_Struktur_einer_Server-Antwort">Die Struktur einer Server-Antwort</h3>
<p>After the connected agent has sent its request, the web server handles it, and finally sends a response back. Similarly to a client request, a server response is formed of text directives, separated by CRLF, though divided in three different blocks:</p>
<ol>
<li>The first line, the <em>status line</em>, consists of an acknowledgment of the HTTP version used followed by a status request (and its meaning in human-readable text).</li>
<li>The subsequent lines each represent a specific HTTP header giving the client some information about the data sent (e.g., type, data size, compression algorithm used, hints about caching). Similarly to the block of HTTP headers for a client request, these HTTP headers form a block that ends with an empty line.</li>
<li>The final block is the data block, which contains the data (if any).</li>
</ol>
<h4 id="Beispiele_von_Antworten">Beispiele von Antworten</h4>
<ul>
<li>Successful reception of a web page:
<pre class="notranslate">HTTP/1.1 200 OK
Date: Sat, 09 Oct 2010 14:28:02 GMT
Server: Apache
Last-Modified: Tue, 01 Dec 2009 20:18:22 GMT
ETag: "51142bc1-7449-479b075b2891b"
Accept-Ranges: bytes
Content-Length: 29769
Content-Type: text/html
<!DOCTYPE html... <em><strong>(here comes the 29769 bytes of the requested web page)</strong></em>
</pre>
</li>
<li>Notification that the requested resource has been permanently moved:
<pre class="notranslate">HTTP/1.1 301 Moved Permanently
Server: Apache/2.2.3 (Red Hat)
Content-Type: text/html; charset=iso-8859-1
Date: Sat, 09 Oct 2010 14:30:24 GMT
Location: <a class="linkification-ext" href="../../../../">https://developer.mozilla.org/</a> <strong><em>(this is the</em><em> new link to the resource; it is expected that the user-agent will fetch it)</em></strong>
Keep-Alive: timeout=15, max=98
Accept-Ranges: bytes
Via: Moz-Cache-zlb05
Connection: Keep-Alive
X-Cache-Info: caching
X-Cache-Info: caching
Content-Length: 325 <em>(<strong>the content contains a default page to display if the user-agent is not able to follow the link)</strong></em>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="<a class="linkification-ext" href="../../../../">https://developer.mozilla.org/</a>">here</a>.</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at developer.mozilla.org Port 80</address>
</body></html>
</pre>
</li>
<li>Notification that the requested resource doesn't exist:
<pre class="notranslate">HTTP/1.1 404 Not Found
Date: Sat, 09 Oct 2010 14:33:02 GMT
Server: Apache
Last-Modified: Tue, 01 May 2007 14:24:39 GMT
ETag: "499fd34e-29ec-42f695ca96761;48fe7523cfcc1"
Accept-Ranges: bytes
Content-Length: 10732
Content-Type: text/html
<!DOCTYPE html... <strong><em>(contains a site-customized page helping the user to find the missing resource)</em></strong>
</pre>
</li>
</ul>
<h3 id="Persistente_Verbindungen">Persistente Verbindungen</h3>
<p>Persistent connections were introduced in HTTP/1.1. They allow transmitting several requests on the same TCP connection (or on the specific connected transport layer if the HTTP is not built upon TCP/IP). This has several advantages:</p>
<ul>
<li>Because the connection can be reused, requests can be <a href="/de/HTTP_Pipelining_FAQ">pipelined</a> to save part of the connection latency.</li>
<li>By opening and closing fewer TCP connections, CPU time is saved.</li>
<li>Network congestion is diminished by lowering the total amount of TCP packets (fewer opening and closing TCP packets).</li>
<li>The TCP stack has more time to detect network congestion and to adapt its sending and receiving windows.</li>
<li>HTTP is more adaptive: the cost for trying a feature is considerably lowered as an error response no longer leads to closing the connection.</li>
</ul>
<h2 id="HTTP-Antfragemethoden">HTTP-Antfragemethoden</h2>
<p>The request method indicates the action to be performed by the server. The HTTP/1.1 standard defines seven methods and allows other methods to be added later. Over the years, a few ones have been added in standards like <a href="/de/WebDAV">WebDAV</a>. The <a class="external" href="https://tools.ietf.org/wg/httpbis/" rel="external nofollow">IETF HTTPbis Working Group</a> is currently working on an IANA registry to list them all. If a server receives a request method that it doesn't know, it must return a <code><a href="/de/HTTP/HTTP_response_codes#501" rel="internal">501 Not implemented</a></code> response; if it knows the method but is configured not to answer it, it must return a <code><a href="/de/HTTP/HTTP_response_codes#501" rel="internal">405 Method not allowed</a></code> response. Two methods are required to be supported: HEAD and GET; all others are optional.</p>
<p>Two specific semantics are defined in the standard and are crucial for web developers: the <em>safety</em> property and the <em>idempotent</em> property.</p>
<h3 id="Sichere_Methoden">Sichere Methoden</h3>
<p>A <dfn>safe method</dfn> is a method that doesn't have any side-effects on the server. In other words, this property means that the method must be used only for <em>retrieval</em> of data. The safe HTTP methods defined in HTTP/1.1 are:</p>
<ul>
<li>GET, used to retrieve information identified by the request URI. This information may be generated on the fly or the GET may be conditional if any of the {{ httpheader("If-Modified-Since") }}, {{ httpheader("If-Unmodified-Since") }}, {{ httpheader("If-Match") }}, {{ httpheader("If-None-Match") }} or {{ httpheader("If-Range") }} HTTP headers are set. In that latter case the information is only sent back if all the conditions are fulfilled.</li>
<li>HEAD, which is identical to GET but without the message body sent.</li>
</ul>
<div class="note"><strong>Notes: </strong>
<ul>
<li>Any safe method is also <em>idempotent</em>.</li>
<li>Not having any side-effects means, for the GET method, that it <strong>must</strong> not be used to trigger an action outside the server, like an order in an e-commerce site. If a side-effect is wanted, a non-<em>idempotent</em> method should be used, like POST.</li>
<li>When a page is generated on the fly by a script, the script engine may calculate the page as if it was requested by a GET and then strip the data block. This does not cause problem as long as the GET as implemented in the script is <em>safe</em>, but if it has any side-effects (like triggering an order on an e-commerce site), the HEAD method will trigger it too. It is up to the web developer to ensure that both the GET and HEAD method are safely implemented.</li>
</ul>
</div>
<h3 id="Idempotente_Methoden">Idempotente Methoden</h3>
<p>An <dfn>idempotent method</dfn> is a method such that the side-effects on the server of several identical requests with the method are the same as the side-effects of one single request.</p>
<ul>
<li>HEAD and GET, like any safe method, are also idempotent, as a safe method doesn't have side-effects on the server.</li>
<li>PUT is the way to upload a new resource on the server. If the resource already exists and is different, it is replaced; if it doesn't exist, it is created.</li>
<li>DELETE removes a resource from the server.</li>
</ul>
<h3 id="Andere_Methoden">Andere Methoden</h3>
<ul>
<li>POST is the way to trigger an action on the server. It has side-effects and can be used to trigger an order, to modify a database, to post a message in a forum, and so on.</li>
<li>OPTIONS is a request for communication options available on the chain between the client and the server (through eventual proxies); this method is typically sent before any <a href="/de/HTTP_access_control#Preflighted_requests">preflighted cross-origin request</a>, in order to know whether it is safe to do it.
<div class="note"><strong>Note:</strong> <a href="/de/HTTP_access_control#Preflighted_requests">Preflighted cross-origin requests</a> cannot be done on servers which don't allow or support the OPTIONS method.</div>
</li>
<li>TRACE is a kind of ping between the client and the server (through eventual proxies).</li>
</ul>
<p>Many more methods, such as PROPFIND or PATCH are defined in other standards-track RFCs of the IETF, like WebDAV.</p>
<p>The CONNECT method is defined in <a class="external" href="https://tools.ietf.org/html/rfc2817">RFC 2817</a>.</p>
<h3 id="HTTP-Anfragemethoden_in_HTML-Formularen">HTTP-Anfragemethoden in HTML-Formularen</h3>
<p>In HTML, different HTTP request methods can be specified in the {{ htmlattrxref("method", "form") }} attribute of the {{ HTMLElement("form") }} element, but also to the {{ htmlattrxref("formmethod", "input") }} of the {{ HTMLElement("input") }} and {{ HTMLElement("button") }} elements. But not all HTTP methods can be used with these attributes; only GET and POST method are allowed by the HTML specification. See <a href="https://softwareengineering.stackexchange.com/a/211790">this StackExchange answer why other HTTP request methods are not allowed by the HTML specification</a>.</p>
<div class="note"><strong>Note</strong>: The choice of a GET or POST method for HTML forms is not neutral. Because the GET method is a <a href="/de/HTTP#Safe_methods">safe method</a>, it should be used only in cases where no side-effect is expected; e.g., it shouldn't be used to transmit an order, as this order is a side-effect. In all cases where such side-effects are expected, the POST method should be used.</div>
<h2 id="HTTP-Antwort-Codes">HTTP-Antwort-Codes</h2>
<p>When answering a client request, the server sends back a three-digit number indicating whether the request was successfully processed. These codes can be grouped in five categories:</p>
<ul>
<li><dfn>Informational responses</dfn> (of the form <code>1xx</code>) are provisional responses. Most of the time neither the end user, nor the web developer or webmaster should have to bother with these. The most common is the <code><a href="/de/HTTP/HTTP_response_codes#100">100 Continue</a></code> response, indicating that the client should continue to send its request.
<div class="note"><strong>Note:</strong> No information response codes were defined in the HTTP/1.0, and therefore they must not be sent back when this version of the protocol is used.</div>
</li>
<li><dfn>Success responses</dfn> (of the form <code>2xx</code>) are for successfully processed requests. The <code><a href="/de/HTTP/HTTP_response_codes#200">200 OK</a></code> response is by far the most common of these responses, but the <code><a href="/de/HTTP/HTTP_response_codes#206">206 Partial Content</a></code> is also often seen when fetching a file or some media data like video or audio.</li>
<li><dfn>Redirection responses</dfn> (of the form <code>3xx</code>) indicate that the resource that the client requested has moved and the server is not able to serve it directly. Most of these responses contain some location information telling where to find the requested resource; user-agents often then retrieve it without further user interaction. The most common responses of this type are <code><a href="/de/HTTP/HTTP_response_codes#301">301 Moved Permanently</a></code>, indicating that the URI given is no longer valid and has been moved to another place, and <code><a href="/de/HTTP/HTTP_response_codes#302">302 Found</a></code> which indicates that the resource has been <em>temporarily</em> moved to another place.
<div class="note"><strong>Note:</strong> For webmasters, it is recommended to set up a <code><a href="/de/HTTP/HTTP_response_codes#301">301 Moved Permanently</a></code> redirection when moving pages to another URI, during a site reorganization for example. That allows users following links to still reach the resource and it also teaches search engines and other services the new location of the resource, so that they can transfer their metadata to it. It is also important to add adequate cache headers to the <code><a href="/de/HTTP/HTTP_response_codes#301">301 Moved Permanently</a></code> response so that this information is cached by the client and prevents it from making unnecessary requests to the original URI prior to fetching the resource itself.</div>
</li>
<li><dfn>Client error responses</dfn> (of the form <code>4xx</code>) indicate that the request sent by the client is either invalid, incomplete, or doesn't have enough rights to be performed. The most common such response is <code><a href="/de/HTTP/HTTP_response_codes#404">404 Not Found</a></code> which is sent back when the URI requested doesn't exist, but a few others are often presented to the end user, like <code><a href="/de/HTTP/HTTP_response_codes#400">400 Bad Request</a></code> sent when the request isn't a valid HTTP request (as this shouldn't happen but may indicate a bug into the user agent or, less likely, the server) or <code><a href="/de/HTTP/HTTP_response_codes#403">403 Forbidden</a></code>, sent when the client request a resource that does exist but isn't allowed to be transmitted (like a directory content).</li>
<li><dfn>Server error responses</dfn> (of the form <code>5xx</code>) indicate that the server had a problem handling the valid client request. The two most common such responses are <code><a href="/de/HTTP/HTTP_response_codes#500">500 Internal Server Error</a></code>, a generic error code indicating a bug in the server or <code><a href="/de/HTTP/HTTP_response_codes#503">503 Service Unavailable</a></code> indicating that the server cannot process the request due to a temporary problem, like a disabled service for maintenance purposes or the non-availability of a database.</li>
</ul>
<p>A web developer shouldn't encounter many other response codes, but people building requests using the <code><a href="/de/nsIXMLHttpRequest">XMLHTTPRequest</a></code> function may hit <a href="/de/HTTP/HTTP_response_codes">less usual response codes</a>.</p>
<h3 id="Mehr_über_Weiterleitungsantworten">Mehr über Weiterleitungsantworten</h3>
<p>Starting in Gecko 9.0 {{ geckoRelease("9.0") }}, redirections (such as 301 and 307) that specify a <code>javascript:</code> URI are no longer performed. Instead, a bad connection error is presented. This helps avoid cross-site scripting attacks. See {{ bug(255119) }} if you want more details.</p>
<h2 id="HTTP-Headers">HTTP-Headers</h2>
<p>HTTP-Kopfdaten ermöglichen the client and the server to pass additional information with the request or the response. A request header consists of its case-insensitive name followed by a colon ':', then by its value (without CRLF in it). Leading white space before the value is ignored.</p>
<p>Headers are grouped according the context in which they may appear:</p>
<dl>
<dt>Allgemeine Kopfdaten</dt>
<dd>These headers apply to both requests and responses but are unrelated to the data eventually transmitted in the body. They therefore apply only to the message being transmitted. There are only a few of them and new ones cannot been added without increasing the version number of the HTTP protocol. The exhaustive list for HTTP/1.1 is {{ httpheader("Cache-Control") }}, {{ httpheader("Connection") }}, {{ httpheader("Date") }}, {{ httpheader("Pragma") }}, {{ httpheader("Trailer") }}, {{ httpheader("Transfer-Encoding") }}, {{ httpheader("Upgrade") }}, {{ httpheader("Via") }} and {{ httpheader("Warning") }}.</dd>
<dt>Anfragekopfdaten</dt>
<dd>These headers give more precise information about the resource to be fetched or about the client itself. Among them one find <a href="/de/HTTP_Caching_FAQ">cache-related headers</a>, transforming a GET method in a conditional GET, like {{ httpheader("If-Modified-Since") }}, user-preference information like {{ httpheader("Accept-Language") }} or {{ httpheader("Accept-Charset") }} or plain client information like {{ httpheader("User-Agent") }}. New request headers cannot officially be added without increasing the version number of the HTTP protocol. But, it is common for new request headers to be added if both the server and the client agree on their meaning. In that case, a client should not assume that they will be handled adequately by the server; unknown request headers are handled as <em>entity headers</em>.</dd>
<dt>Antwortkopfdaten</dt>
<dd>These headers give more information about the resource sent back, like its real location ({{ httpheader("Location") }}) or about the server itself, like its name and version ({{ httpheader("Server") }}). New response headers cannot be added without increasing the version number of the HTTP protocol. But, it is common for new response headers to be added if both the server and the client agree on their meaning. In that case, a server should not assume that they will be handled adequately by the client ; unknown response headers are handled as <em>entity headers</em>.</dd>
<dt>Entitätskopfdaten</dt>
<dd>Diese Kopfdaten beinhalten mehr Informationen über den Körper der Entität, wie ihre Länge ({{ httpheader("Content-Length") }}), eine Identifikationsprüfsumme ({{ httpheader("Content-MD5") }}) oder ihren MIME-Typ ({{ httpheader("Content-Type") }}). Neue Entitätskopfdaten können ohne Erhöhung der Versionsnummer des HTTP-Protokolls hinzugefügt werden.</dd>
</dl>
<p>Kopfdaten können auch nach ihrer Handhabung durch puffernde und nicht-puffernde Proxys gruppiert werden:</p>
<dl>
<dt>Ende-zu-Ende-Kopfdaten</dt>
<dd>These headers must be transmitted to the final recipient of the message; that is, the server for a request message or the client for a response message. Such a header means that intermediate proxies must retransmit it unmodified and also that caches must store it.</dd>
<dt>Sprung-zu-Sprung-Kopfdaten</dt>
<dd>Diese Kopfdaten sind nur für eine einzelne Verbindung auf Transportebene von Bedeutung und dürfen von Proxys nicht weitergeleitet oder gepuffert werden. Solche Kopfdaten sind: {{ httpheader("Connection") }}, {{ httpheader("Keep-Alive") }}, {{ httpheader("Proxy-Authenticate") }}, {{ httpheader("Proxy-Authorization") }}, {{ httpheader("TE") }}, {{ httpheader("Trailers") }}, {{ httpheader("Transfer-Encoding") }} und {{ httpheader("Upgrade") }}. Zu Beachten ist, dass nur Sprung-zu-Sprung-Kopfdaten {{ httpheader("Connection") }} bei der Verwendung der Allgemeinen Kopfdaten gesetzt werden dürfen.</dd>
</dl>
<p>In order to learn about the specific semantic of each header, see its entry in the <a href="/de/HTTP/Headers">comprehensive list of HTTP headers</a>.</p>
<h3 id="Nützliche_Anfragekopfdaten">Nützliche Anfragekopfdaten</h3>
<p>Among the numerous <a href="/de/HTTP/Headers">HTTP request headers</a>, several are especially useful when set correctly. If you are building your own requests, by using <code><a href="/de/DOM/XMLHttpRequest">XMLHTTPRequest</a></code> or when writing an extension and sending <a href="/de/Setting_HTTP_request_headers">custom HTTP requests via XPCOM</a>, then it is important to ensure the presence of headers that are often set by browsers based on the preferences of the user.</p>
<dl>
<dt>Steuern der Ressourcensprache</dt>
<dd>Most user-agents, like Firefox, allow the user to set a preference for the language for receiving a resource. The browser translate this into an {{ httpheader("Accept-Language") }} header. It is good practice for web developers, when building specific HTTP requests, to include such a header too.</dd>
<dt>Verwenden des bedingten GET</dt>
<dd>Caching is a major tool to accelerate the display of web pages. Even when parts of a webpage are refreshed via an <code><a href="/de/DOM/XMLHttpRequest">XMLHTTPRequest</a></code>:, it is a good idea to use the {{ httpheader("If-Modified-Since") }} header (and other similar ones) in order to fetch the new content only if it has changed. This approach lowers the burden on the network.</dd>
</dl>
<h3 id="Nützliche_Antwortkopfdaten">Nützliche Antwortkopfdaten</h3>
<p>The configuration of a web server is a critical part to ensure good performance and optimal security of a web site. Among the <a href="/de/HTTP/Headers">numerous HTTP response headers</a>, several are of specific importance and should be configured on the server</p>
<h4 id="Restricting_framing">Restricting framing</h4>
<p>Several cross-site scripting (XSS) attacks take advantage of the ability to put third-party content inside an {{ HTMLElement("frame") }} or {{ HTMLElement("iframe") }}. In order to mitigate that risk, modern browsers have introduced the <code><a href="/de/Security/CSP/CSP_policy_directives#frame-ancestors">CSP frame-ancestors directive</a></code>. By setting it with the value <code>'none'</code>, it prevents the browser from displaying this resource inside of a frame. Using it on critical resources (like those containing a formularies or critical information) will reduce the risk caused by XSS attacks. Note that this specific HTTP response header is not the only way to mitigate XSS risks; other techniques, like setting some <a href="/de/Security/CSP/Introducing_Content_Security_Policy">Content Security Policies</a>, may be helpful too.</p>
<h4 id="Komprimierung">Komprimierung</h4>
<p>Minimizing the amount of data transferred accelerates the display of a web page. Though most techniques, like <a href="/de/CSS/CSS_Sprites">CSS Sprites</a>, should be applied on the site itself, compression of data must be set at the web server level. If set, resources requested by the client with an {{ httpheader("Accept-Encoding") }} request header are compressed using the appropriate method and sent back with a {{ httpheader("Content-Encoding") }} response header. Setting these in Apache 2 servers is done by using the <a class="external" href="https://httpd.apache.org/docs/2.4/mod/mod_deflate.html">mod_deflate module</a>.</p>
<div class="note"><strong>Note:</strong> Be aware that not all data formats can be efficiently compressed. Already-compressed media data, like JPEG images or most audio and video formats, do not shrink using another pass of compression. In fact, they often become larger due to the overhead of the compression method. It is important not to try to compress these resource types any further; there is no advantage in size and the compression/decompression mechanism is resource-intensive.</div>
<h4 id="Steruern_des_Puffers">Steruern des Puffers</h4>
<p><a href="/de/HTTP_Caching_FAQ">HTTP Caching</a> is a technique that prevents the same resource from being fetched several times if it hasn't change. Configuring the server with the correct response headers allows the user-agent to adequately cache the data. In order to do that, be sure that:</p>
<ul>
<li>Any static resource provides an {{ httpheader("Expires") }} response header that is set to far in the future. That way, the resource may stay in the cache until the user-agent flushes it for its own reasons (like reaching its cache size limit).
<div class="note"><strong>Note: </strong>On Apache, use the ExpiresDefault directive in your .htaccess to define a relative expires: <code>ExpiresDefault "access plus 1 month"</code>.</div>
</li>
<li>Any dynamic resource provides a {{ httpheader("Cache-control") }} response header. Theoretically, any HTTP request done through a <a href="/de/HTTP#Safe_Methods">safe method</a> (GET or HEAD) or even through a solely <a href="/de/HTTP#Idempotent_Methods">idempotent one</a> (DELETE, PUT) may be cached; but in practice careful study is needed to determine if the caching of the response may lead to inappropriate side-effects.</li>
</ul>
<h4 id="Setzen_der_richtigen_MIME-Typen">Setzen der richtigen MIME-Typen</h4>
<p>The MIME type is the mechanism to tell the client the kind of document transmitted: the extension of a file name has no meaning on the web. It is therefore important that the server is correctly set up so that the correct MIME type is transmitted with each document: user-agents often use this MIME-type to determine what default action to do when a resource is fetched.</p>
<div class="note"><strong>Note: </strong>
<ul>
<li>On Apache, one can match file extensions with a given MIME type in the .htaccess using the <code>AddType</code> type directive like <code>AddType image/jpeg jpg.</code></li>
<li>Most web servers send unknown-type resources using the default <code>application/octet-stream</code> MIME type; for security reasons, most browsers, like Firefox, do not allow setting a custom default action for such resources and force the user to store it to disk in order to use it. Some common cases of often incorrectly configured servers happens for the following file types:
<ul>
<li>
<p>Rar-encoded files. The ideal would be to be able to set the real type of the encoded files; this often is not possible (as it may not be known to the server and these files may contains several resource of different types). In that case, configure the server to send the <code>application/x-rar-compressed </code>MIME type or some users won't be able to define a useful default action for them.</p>
</li>
<li>
<p>Audio and video files. Only resources with the proper MIME Type will be recognized and played, using a {{ HTMLElement("video") }} or {{ HTMLElement("audio") }} elements. Be sure to <a href="/de/Media_formats_supported_by_the_audio_and_video_elements">use the correct MIME type for audio and video resources</a>.</p>
</li>
<li>
<p>Proprietary file types. Pay special attention when serving a proprietary file type. Be sure not to forget to add an x-prefixed type for it; otherwise, special handling won't be possible. This is especially true with resources using the <a class="external" href="https://en.wikipedia.org/wiki/Keyhole_Markup_Language">Keyhole Markup Language</a>, which should be served as <code>application/vnd.google-earth.kml+xml </code>for an optimal user experience.</p>
</li>
</ul>
</li>
</ul>
</div>
<h2 id="Siehe_auch">Siehe auch</h2>
<ul>
<li><a href="/de/Controlling_DNS_prefetching">Controlling DNS prefetching</a></li>
<li>The <a href="/de/HTTP_Pipelining_FAQ">HTTP pipelining FAQ</a></li>
<li><a href="/de/Web_Development/HTTP_cookies">HTTP cookies</a></li>
<li><a href="/de/docs/HTTP/Headers">HTTP Headers</a></li>
<li><a href="/de/docs/HTTP/Basic_access_authentication">Basic access authentication</a></li>
<li><a href="/de/docs/HTTP/Access_control_CORS">HTTP access control (CORS)</a></li>
</ul>
|
