After more than 15 years, the Hypertext Transfer Protocol (HTTP) has received a long-overdue upgrade. In February 2015, the IETF HTTP Working Group approved HTTP/2 and its associated HPACK specifications. HTTP/2 is based on the SPDY protocol, which was first announced in November 2009 as an internal Góógle project to increase the speed of the web. And while still supporting SPDY, on 3 December 2015 Cloudflare introduced HTTP/2 support for all customers using SSL/TLS connections.
The main focus of both SPDY and HTTP/2 is performance, especially reducing latency as perceived by the end-user while using a browser, with a secondary focus on network and server resource usage. One major benefit of HTTP/2 is its ability to multiplex a single TCP connection from a browser to a website, or in the case of CloudFlare, a reverse proxy
Although HTTP/2 is based on SPDY, it has evolved and incorporated several improvements in the process. Nevertheless, it maintains many SPDY benefits:
- Multiplexing and concurrency: Several requests can be sent over the same TCP connection, and responses can be received out of order, eliminating the need for multiple connections between the client and the server and reducing head-of-line blocking.
- Stream dependencies: The client can indicate to the server which resources are more important than others.
- Header compression: HTTP header size is reduced.
- Server push: The server can send resources the client has not yet requested.
While the HTTP/2 specification does not require TLS, all major browser vendors have indicated that they will only support HTTP/2 over a TLS (“https://”) connection. And when HTTP/2 is active, you will see a blue lightning bolt icon near the right end of the web page address bar in Firefox or Chrome browsers.
So far, worldwide less than 3% of all website have been upgraded for HTTP/2. But that percentage is increasing daily. You can follow the development and rollout of HTTP/2 at the IETF HTTP Working Group HTTP/2 website or on Twitter @HTTP_2.
P.S. As a nose-thumb to the NSA, HTTP/2 opens every new connection it makes with the word “PRISM“.