Hidden features of HTTP

What hidden features of HTTP do you think are worth mentioning?

By hidden features I mean features that already are part of the standard but widely rather unknown or unused.

Just one feature per answer please.

It's got to be the 418 I'm a teapot status code, part of the Hyper Text Coffee Pot Control Protocol (an extension to HTTP). Makes me laugh every time.

> 2.3.2 418 I'm a teapot > > Any attempt to brew coffee with a teapot should result in the error > code "418 I'm a teapot". The resulting entity body MAY be short and > stout.

The fact that referrer was misspelled and it was decided that the misspelling should be kept.

Obvious answer: PUT, DELETE, TRACE, OPTIONS, CONNECT methods

Most people know about the GET and POST methods because that's what they use when building forms. Browsers also use HEAD a lot. The other methods are much less well-known; they are mostly used by more specific applications.

Have anyone ever seen 402 Payment Required?

204 No Content

I thought 204 was just if you have no content to display, but the spec looks like there is additional behavior that the user agent "not change its document view."

According to HOWTO: Configure Apache to Return a HTTP 204 (No Content) for AJAX

> FWIW, Google actually does something > similar. Each time a user clicks on a > link in their search results, Google > pings itself to record the click; the > response code from the ping is an HTTP > 204.

Also, 204 No Content proposes this is a good technique for "web bugs" or "beacons" if you want to save on every last byte of network traffic you can.

Response Code 410 Gone:

> (...) server owners desire that remote > links to that resource be removed. (...)

Web spiders (most notably Google) will de-index (typically on next crawl) a page which starts returning 410.

In Dynamic content use Last_Modified or ETag header

At times you have dynamic content that can be large and/or costly to generate and that may not change from request to request. You can add a Last_Modified or ETag header to the your generated response.

At the top of your expensive dynamic code you can use the If_Modified_Since or the If_None_Match to determine if the content requestor already has is still current. If it is change the response status to "304 Unmodified" and end the request.

Some server-side technologies provide such features formally but you can do the above even in lowly ASP-Classic.

Note this differs from setting Cache-Control, Expires headers in that it ensures the client always has the latest info on request.

You can request to resume a (large) HTTP response (e.g. file download) using Range and If-Range request headers with respectively the specified byte range and the unique file identifier or the file modification timestamp. This is possible if the server has sent the Accept-Ranges: bytes and ETag or Last-Modified response headers on the initial response with respectively the notification that the server supports byte range requests, the unique file identifier and the file modification timestamp.

The initial response can look like (the ETag is usually composed of file name, size and last modification timestamp):

Accept-Ranges: bytes
ETag: file.ext_1234_1234567890
Content-Range: bytes 0-1233/1234

When the download get aborted on for example 1KB (1024 bytes), the client can resume it as follows:

If-Range: file.ext_1234_1234567890
Range: bytes=1024-

Which should return this response with the appropriate bytes in the body:

Accept-Ranges: bytes
ETag: file.ext_1234_1234567890
Content-Range: bytes 1024-1233/1234

ReST tries to push HTTP to its limits as an interface protocol.

It's not a hidden feature, but from looking at well-defined ReST APIs one can get quite a nice grip on how HTTP is meant to work and find wonderful examples of what can be achieved with simple combination of HTTP methods, status codes and headers to and fro.

Trailer (in contrast to Header)

The protocol allows you to define your own custom-fields. These can be used to carry other information if you don't want to use cookies for it.

HTTP 100 (Continue) Status

A client can send a request message with a request body to determine if the origin server is willing to accept the request..

In some cases, it might either be inappropriate or highly inefficient for the client to send the body if the server will reject the message without looking at the body.

Could be used to avoid traffic from rogue clients.. and/or where bandwidth is a precious commodity.

However, for full use of this feature there are some criteria for HTTP1.1 Client, Servers and Proxies. See the HTTP/1.1 RFC 2616 for further reading on HTTP Connections.

Status codes :

• When URI http://www.domain.invalid/index.php?id=44 is called, if the query (id=44) couldn't return ressource, why not return a status code 404?
• When URI http://www.domain.invalid/index.php?id=foo is called whereas id only accepts integers, why not return a status code 400?
• Why, when you enter the wrong login/password, almost all web application return a message like "Authentication failed" with status code 200 (ok, no problem, you do it well) instade of 401?

Yes, status codes seems to be a kind of secret functionality of HTTP to some web developers... But I wonder if the most occult of all the "features" of this protocol isn't its RFC!