HTTP/1.0

After years of ad-hoc browser and server extensions to HTTP/0.9, HTTP/1.0 became the first formally documented version of the HyperText Transfer Protocol. Published in May 1996 as RFC 1945, the specification codified practices evolving organically since 1991. RFC 1945 was authored by Tim Berners-Lee, Roy T. Fielding, and Henrik Frystyk Nielsen.

RFC 1945 is an Informational RFC, not a Standards Track document. The IESG note states: "The IESG has concerns about this protocol, and expects this document to be replaced relatively soon by a standards track document." The replacement arrived eight months later with HTTP/1.1 (RFC 2068).

Table of Contents

History

Between 1991 and 1995, HTTP evolved through a try-and-see approach. Browser and server developers added features (headers, status codes, new methods) and shipped them without formal coordination. Interoperability problems were common.

NCSA Mosaic (1993) and Netscape Navigator (1994) drove rapid adoption of the web. On the server side, CERN httpd and NCSA HTTPd introduced features like Content-Type and CGI scripting. Apache, forked from NCSA HTTPd in early 1995, quickly became the dominant server software.

RFC 1945 did not invent HTTP/1.0. The specification documented "features that seem to be consistently implemented in most HTTP/1.0 clients and servers." By the time the RFC was published, millions of requests per day already used the protocol the RFC described.

What HTTP/1.0 added

HTTP/0.9 had one method (GET), no headers, no status codes, and no content types. HTTP/1.0 changed the protocol fundamentally.

Request and response structure

The request line gained a version identifier:

GET /index.html HTTP/1.0

The response gained a status line with the protocol version, a numeric status code, and a reason phrase:

HTTP/1.0 200 OK

Both requests and responses gained HTTP headers for carrying metadata.

Methods

HTTP/1.0 defined three methods in the core specification:

GET: retrieve a resource
HEAD: retrieve headers only, no body
POST: send data to the server

Appendix D listed PUT, DELETE, LINK, and UNLINK as additional methods with inconsistent implementations.

Status codes

RFC 1945 defined 16 status codes across four active classes. The 1xx class was reserved but not used.

Class	Codes
Status#2xx-Success	2xx
Status#3xx-Redirection	3xx
Status#4xx-Client-Error	4xx
Status#5xx-Server-Error	5xx

Headers

The specification defined 16 HTTP headers:

Category Headers

General

Category	Headers
General	Accept, Accept-Encoding, Accept-Language, and Content-Language. Content types HTTP/1.0 adopted the MIME media type system from email (RFC 1521). The Content-Type header enabled transmission of images, scripts, stylesheets, and any other file type, not HTML alone. RFC 1945 Appendix C documented the differences between HTTP and MIME. HTTP does not use Content-Transfer-Encoding, and multipart body parts in HTTP carry full HTTP headers rather than only Content-* headers. Authentication Section 11 defined Basic Authentication using the Authorization and WWW-Authenticate headers. Credentials are Base64-encoded (not encrypted) and transmitted in cleartext. Security Basic authentication provides no confidentiality. Credentials are trivially reversible from the Base64 encoding. Without TLS, both credentials and response data travel over the network in plaintext. Caching HTTP/1.0 introduced a date-based Caching model using Expires, If-Modified-Since, Last-Modified, and `Pragma: no-cache`. The model had no Cache-Control directives, no ETags, and no revalidation mechanism beyond date comparison. Clock skew between client and server was a recurring problem. Connection model Each HTTP/1.0 request required a separate TCP connection. The server closed the connection after sending the response. A page with 10 images meant 11 TCP connections, each with a full three-way handshake. This connection-per-request model was expensive. TCP slow start meant each new connection began with a small congestion window, and connections were closed before the window had time to grow. On high-latency networks, the overhead was significant. The Keep-Alive extension RFC 1945 did not define persistent connections. An unofficial `Connection: Keep-Alive` extension emerged around 1995, first implemented by Netscape Navigator. If the server echoed the header back, the TCP connection remained open for reuse. Proxy problem A proxy unaware of Keep-Alive forwarded the `Connection: Keep-Alive` header verbatim to the origin server. Both sides kept their connections open, but the proxy itself did not reuse them, resulting in hung connections. HTTP/1.1 solved this by making persistent connections the default and defining `Connection` as a hop-by-hop header. Entity body length RFC 1945 Section 7.2.2 defined two methods for determining body length: If Content-Length is present, its value defines the length in octets. Otherwise, the body ends when the server closes the connection. POST requests required a Content-Length header because closing the connection prevented the server from sending a response. There was no chunked transfer encoding. Dynamic content of unknown length required either buffering the entire response before sending or relying on connection close. Example A complete HTTP/1.0 exchange. The client requests an HTML page, then opens a second TCP connection to fetch an image referenced in the page. Initial request `GET /index.html HTTP/1.0 User-Agent: NCSA_Mosaic/2.0 (Windows 3.1) Accept: text/html` Response `HTTP/1.0 200 OK Date: Sun, 01 Jan 1995 12:01:00 GMT Server: CERN/3.0 libwww/2.17 Content-Type: text/html Content-Length: 80 <html> Welcome to the <img src="/logo.gif"> example.re homepage! </html>` Second connection (to fetch the image) `GET /logo.gif HTTP/1.0 User-Agent: NCSA_Mosaic/2.0 (Windows 3.1) Accept: image/gif` Response `HTTP/1.0 200 OK Date: Sun, 01 Jan 1995 12:01:01 GMT Server: CERN/3.0 libwww/2.17 Content-Type: image/gif Content-Length: 5000 <Encoded data of logo.gif>` Each request opens a new TCP connection. The server closes the connection after each response. Limitations HTTP/1.0 had significant constraints HTTP/1.1 addressed: No mandatory Host header: a server listening on a single IP address had no way to distinguish between different domains. Virtual hosting was not possible with pure HTTP/1.0. Connection per request: each request required a new TCP connection with full handshake overhead. No chunked transfer encoding: dynamic content of unknown length had to be buffered completely or terminated by connection close. Limited caching: only date-based, no ETags, no max-age, no revalidation beyond If-Modified-Since. No persistent connections in the spec: Keep-Alive was a non-standard extension with proxy compatibility issues. No content negotiation in core: Accept headers were in Appendix D with inconsistent implementations. No range requests: no mechanism for resumable downloads or partial content retrieval. See also RFC 1945: HTTP/1.0 HTTP/0.9 HTTP/1.1 HTTP/2 HTTP/3 HTTP Explained Last updated: April 4, 2026 HTTP Status Tester Test live and from different countries the HTTP responses, redirect chains and status codes of one or multiple URLs. Try it now! About the author Fili Technical SEO Consultant Fili is a former Google Search Engineer, and currently a Technical SEO Consultant at Search Brothers Status HTTP Status Codes overview 100 Continue 101 Switching Protocols 102 Processing 103 Early Hints 200 OK 201 Created 202 Accepted 203 Non-Authoritative Information 204 No Content 205 Reset Content 206 Partial Content 207 Multi-Status 208 Already Reported 218 This is fine 226 IM Used 300 Multiple Choices 301 Moved Permanently 302 Found 303 See Other 304 Not Modified 305 Use Proxy 306 Switch Proxy 307 Temporary Redirect 308 Permanent Redirect 400 Bad Request 401 Unauthorized 402 Payment Required 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable 407 Proxy Authentication Required 408 Request Timeout 409 Conflict 410 Gone 411 Length Required 412 Precondition Failed 413 Content Too Large 414 URI Too Long 415 Unsupported Media Type 416 Range Not Satisfiable 417 Expectation Failed 418 I'm a teapot 419 Page Expired 420 Method Failure or Enhance your calm 421 Misdirected Request 422 Unprocessable Content 423 Locked 424 Failed Dependency 425 Too Early 426 Upgrade Required 428 Precondition Required 429 Too Many Requests 430 Security Rejection 431 Request Header Fields Too Large 440 Login Time-out 444 No Response 449 Retry With 450 Blocked by Windows Parental Controls 451 Unavailable For Legal Reasons 460 Client closed connection prematurely 463 Too many forwarded IP addresses 464 Incompatible protocol 470 Request Denied 492 User Access Forbidden 493 Unsupported Browser 494 Request header too large 495 SSL Certificate Error 496 SSL Certificate Required 497 HTTP Request Sent to HTTPS Port 498 Invalid Token 499 Token Required or Client Closed Request 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Gateway Timeout 505 HTTP Version Not Supported 506 Variant Also Negotiates 507 Insufficient Storage 508 Loop Detected 509 Bandwidth Limit Exceeded 510 Not Extended 511 Network Authentication Required 520 Web Server Is Returning an Unknown Error 521 Web Server Is Down 522 Connection Timed Out 523 Origin Is Unreachable 524 A Timeout Occurred 525 SSL Handshake Failed 526 Invalid SSL Certificate 527 Railgun Listener to Origin 529 The Service Is Overloaded 530 Site Frozen 531 Upstream Connection Error 532 Response Too Large 533 Upstream TLS Error 534 Application Error 535 Unknown Application 536 HTTP Response Timeout 537 DNS Resolution Error 538 Request Loop 539 Serverless Timeout 540 Temporarily Disabled 541 Out of Workers 542 Database Error / Header Overflow 543 Communication Error / Upstream Timeout 544 Management Error / Invalid Host Header 545 Authentication Error / Component Not Ready 546 Unknown Application / TLS Error 547 No HTTP Response 548 Invalid Response / DNS Resolution Error 549 Authentication Gateway Error / Application Crash 552 Application Unreachable 553 Directory Service Error 554 Authentication Token Error 555 Application Does Not Support Kerberos 556 Unexpected Authentication Challenge 557 KDC Unreachable 558 Connection Limit Stop 559 Connection Limit Stop 561 Unauthorized 562 Credential Error 598 Network Read Timeout Error 599 Network Connect Timeout Error 600 Invalid Headers 893 Load Balancing Overflow 999 Request Denied Headers HTTP Headers overview A-IM Accept Accept-CH Accept-CH-Lifetime Accept-Charset Accept-Datetime Accept-Encoding Accept-Language Accept-Patch Accept-Post Accept-Ranges Accept-Signature Access-Control-Allow-Credentials Access-Control-Allow-Headers Access-Control-Allow-Methods Access-Control-Allow-Origin Access-Control-Expose-Headers Access-Control-Max-Age Access-Control-Request-Headers Access-Control-Request-Method Age Akamai-GRN Allow Alt-Svc Alt-Used Authentication-Info Authorization Available-Dictionary Cache-Control Cache-Group-Invalidation Cache-Groups Cache-Status Capsule-Protocol CDN-Cache-Control CDN-Loop Cf-Cache-Status Cf-Edge-Cache Cf-Mitigated Cf-Ray Clear-Site-Data Client-Cert Client-Cert-Chain Connection Content-Digest Content-Disposition Content-Encoding Content-Language Content-Length Content-Location Content-MD5 Content-Range Content-Security-Policy Content-Security-Policy-Report-Only Content-Type Cookie Critical-CH Cross-Origin-Embedder-Policy Cross-Origin-Embedder-Policy-Report-Only Cross-Origin-Opener-Policy Cross-Origin-Opener-Policy-Report-Only Cross-Origin-Resource-Policy Date Delta-Base Deprecation Device-Memory Dictionary-ID Digest DNT Document-Isolation-Policy Document-Isolation-Policy-Report-Only Document-Policy Downlink DPoP DPoP-Nonce Early-Data ECT Edge-Control ETag Expect Expect-CT Expires Feature-Policy Forwarded From GLB-X-Seen-By Host Host-Header HTTP2-Settings If-Match If-Modified-Since If-None-Match If-Range If-Unmodified-Since IM Incremental Keep-Alive Last-Event-ID Last-Modified Link Link-Template Location Max-Forwards Memento-Datetime MIME-Version NEL No-Vary-Search Onion-Location Origin Origin-Agent-Cluster Origin-Trial P3P Panel Permissions-Policy Ping-From Ping-To Platform Powered-By Pragma Prefer Preference-Applied Priority Proxy-Authenticate Proxy-Authentication-Info Proxy-Authorization Proxy-Status Public-Key-Pins Public-Key-Pins-Report-Only Purpose Range RateLimit-Limit RateLimit-Remaining RateLimit-Reset Referer Referrer-Policy Refresh Replay-Nonce Report-To Reporting-Endpoints Repr-Digest Request-Context Retry-After RTT Save-Data Sec-CH-Prefers-Color-Scheme Sec-CH-Prefers-Reduced-Motion Sec-CH-UA Sec-CH-UA-Arch Headers Sec-CH-UA-Bitness Sec-CH-UA-Full-Version-List Sec-CH-UA-Mobile Sec-CH-UA-Model Sec-CH-UA-Platform Sec-CH-UA-Platform-Version Sec-Fetch-Dest Sec-Fetch-Mode Sec-Fetch-Site Sec-Fetch-User Sec-GPC Sec-Purpose Sec-Speculation-Tags Sec-WebSocket-Accept Sec-WebSocket-Extensions Sec-WebSocket-Key Sec-WebSocket-Protocol Sec-WebSocket-Version Server Server-Timing Set-Cookie Shopify-Complexity-Score Signature Signature-Agent Signature-Input SourceMap Speculation-Rules Strict-Transport-Security Sunset Supports-Loading-Mode Surrogate-Control Surrogate-Key TE Timing-Allow-Origin Traceparent Traceresponse Tracestate Trailer Transfer-Encoding Upgrade Upgrade-Insecure-Requests Use-As-Dictionary User-Agent Vary Via Want-Content-Digest Want-Digest Want-Repr-Digest Warning WWW-Authenticate X-AC X-Adblock-Key X-Akamai-Transformed X-Amz-Cf-Id X-Amz-Cf-Pop X-Amz-Id-2 X-Amz-Request-Id X-Amz-Server-Side-Encryption X-Amz-Version-Id X-Amzn-RequestId X-Amzn-Trace-Id X-AspNet-Version X-AspNetMvc-Version X-Azure-Ref X-B3-TraceId X-Cache X-Cache-Group X-Cache-Hits X-Cache-Miss-From X-Cache-Status X-Cacheable X-CDN X-Clacks-Overhead X-Cloud-Trace-Context X-Content-Security-Policy X-Content-Type-Options X-ContextId X-Correlation-Id X-DC X-DNS-Prefetch-Control X-Domain X-Download-Options X-Drupal-Cache X-Drupal-Dynamic-Cache X-Envoy-Upstream-Service-Time X-Fastly-Request-Id X-FB-Debug X-Forwarded-For X-Forwarded-Host X-Forwarded-Proto X-Frame-Options X-Generator X-GitHub-Request-Id X-Hacker X-Host X-IInfo X-IPLB-Instance X-IPLB-Request-Id X-LiteSpeed-Cache X-LiteSpeed-Cache-Control X-LiteSpeed-Tag X-Matched-Path X-Meta-Site-Id X-Middleware-Rewrite X-MS-Request-Id X-Nextjs-Cache X-Nextjs-Prerender X-Nextjs-Stale-Time X-Nf-Request-Id X-Pcrew-Blocked-Reason X-Pcrew-Ip-Organization X-Permitted-Cross-Domain-Policies X-Pingback X-Powered-By X-Proxy-Cache X-RateLimit-Limit X-RateLimit-Remaining X-RateLimit-Reset X-Real-IP X-Redirect X-Redirect-By X-Request-ID X-Robots-Tag X-Runtime X-Seen-By X-Served-By X-ShardId X-ShopId X-SiteId X-Sorting-Hat-PodId X-Sorting-Hat-ShopId X-Storefront-Renderer-Rendered X-Sucuri-Id X-Timer X-Turbo-Charged-By X-UA-Compatible X-Varnish X-Vercel-Cache X-Vercel-Id X-Version X-WebKit-CSP X-Wix-Cache-Control X-Wix-Request-Id X-WS-RateLimit-Limit X-WS-RateLimit-Remaining X-XSS-Protection Methods HTTP Methods overview CONNECT DELETE GET HEAD OPTIONS PATCH POST PRI PUT QUERY TRACE HTTP Testing Tools HTTP Status Tester HTTP Compression Check HTTP/2 Check HTTP/3 Check HTTP Response API URL Parse API Content-Type Check HTTP Specifications HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/3 HTTP Authentication HTTP Caching Canonical URLs Client Hints HTTP Compression HTTP Conditional Requests HTTP Content Negotiation HTTP Cookies Cross-Origin Resource Sharing (CORS) Data URLs HTTP Explained Hreflang HTTP Strict Transport Security HTTP Connection Management HyperText Transfer Protocol Secure (HTTPS) HyperText Transfer Protocol (HTTP) HTTP Media Types Oblivious HTTP Origins Percent-Encoding Problem Details for HTTP APIs HTTP Protocol Upgrade Mechanism Punycode HTTP Range Requests HTTP Redirections HTTP Request Resource Hints HTTP Response A Typical HTTP Session Soft 404s HTTP Streaming HTTP Structured Fields Uniform Resource Identifier (URI) Uniform Resource Locator (URL) Uniform Resource Name (URN) WebDAV Well-Known URIs WHIP (WebRTC-HTTP Ingestion Protocol) WebSocket WebSocket Secure (wss://) Made with ♥ by Technical SEO Consultant Fili © 2022 - 2026 Licensed under CC BY-NC-ND 4.0

Accept, Accept-Encoding, Accept-Language, and Content-Language.

Content types

HTTP/1.0 adopted the MIME media type system from email (RFC 1521). The Content-Type header enabled transmission of images, scripts, stylesheets, and any other file type, not HTML alone.

RFC 1945 Appendix C documented the differences between HTTP and MIME. HTTP does not use Content-Transfer-Encoding, and multipart body parts in HTTP carry full HTTP headers rather than only Content-* headers.

Authentication

Section 11 defined Basic Authentication using the Authorization and WWW-Authenticate headers. Credentials are Base64-encoded (not encrypted) and transmitted in cleartext.

Security

Basic authentication provides no confidentiality. Credentials are trivially reversible from the Base64 encoding. Without TLS, both credentials and response data travel over the network in plaintext.

Caching

HTTP/1.0 introduced a date-based Caching model using Expires, If-Modified-Since, Last-Modified, and Pragma: no-cache. The model had no Cache-Control directives, no ETags, and no revalidation mechanism beyond date comparison. Clock skew between client and server was a recurring problem.

Connection model

Each HTTP/1.0 request required a separate TCP connection. The server closed the connection after sending the response. A page with 10 images meant 11 TCP connections, each with a full three-way handshake.

This connection-per-request model was expensive. TCP slow start meant each new connection began with a small congestion window, and connections were closed before the window had time to grow. On high-latency networks, the overhead was significant.

The Keep-Alive extension

RFC 1945 did not define persistent connections. An unofficial Connection: Keep-Alive extension emerged around 1995, first implemented by Netscape Navigator. If the server echoed the header back, the TCP connection remained open for reuse.

Proxy problem

A proxy unaware of Keep-Alive forwarded the Connection: Keep-Alive header verbatim to the origin server. Both sides kept their connections open, but the proxy itself did not reuse them, resulting in hung connections. HTTP/1.1 solved this by making persistent connections the default and defining Connection as a hop-by-hop header.

Entity body length

RFC 1945 Section 7.2.2 defined two methods for determining body length:

If Content-Length is present, its value defines the length in octets.
Otherwise, the body ends when the server closes the connection.

POST requests required a Content-Length header because closing the connection prevented the server from sending a response. There was no chunked transfer encoding. Dynamic content of unknown length required either buffering the entire response before sending or relying on connection close.

Example

A complete HTTP/1.0 exchange. The client requests an HTML page, then opens a second TCP connection to fetch an image referenced in the page.

Initial request

GET /index.html HTTP/1.0
User-Agent: NCSA_Mosaic/2.0 (Windows 3.1)
Accept: text/html

Response

HTTP/1.0 200 OK
Date: Sun, 01 Jan 1995 12:01:00 GMT
Server: CERN/3.0 libwww/2.17
Content-Type: text/html
Content-Length: 80

<html>
Welcome to the <img src="/logo.gif"> example.re
homepage!
</html>

Second connection (to fetch the image)

GET /logo.gif HTTP/1.0
User-Agent: NCSA_Mosaic/2.0 (Windows 3.1)
Accept: image/gif

Response

HTTP/1.0 200 OK
Date: Sun, 01 Jan 1995 12:01:01 GMT
Server: CERN/3.0 libwww/2.17
Content-Type: image/gif
Content-Length: 5000

<Encoded data of logo.gif>

Each request opens a new TCP connection. The server closes the connection after each response.

Limitations

HTTP/1.0 had significant constraints HTTP/1.1 addressed:

No mandatory Host header: a server listening on a single IP address had no way to distinguish between different domains. Virtual hosting was not possible with pure HTTP/1.0.
Connection per request: each request required a new TCP connection with full handshake overhead.
No chunked transfer encoding: dynamic content of unknown length had to be buffered completely or terminated by connection close.
Limited caching: only date-based, no ETags, no max-age, no revalidation beyond If-Modified-Since.
No persistent connections in the spec: Keep-Alive was a non-standard extension with proxy compatibility issues.
No content negotiation in core: Accept headers were in Appendix D with inconsistent implementations.
No range requests: no mechanism for resumable downloads or partial content retrieval.

HTTP/1.0

History

What HTTP/1.0 added

Request and response structure

Methods

Status codes

Headers

Content types

Authentication

Caching

Connection model

The Keep-Alive extension

Entity body length

Example

Limitations

See also