The history of HTTP in under 5 minutes
A 5-minute trip through HTTP, version by version: what each one added, what stuck, and what quietly didn't.
HTTP/0.9 (1991)
Tim Berners-Lee's "one-line protocol": the client sends GET /path, the server returns the document, the connection closes. No headers, no methods beyond GET, no metadata. Everything since has been backwards-compatible with this single line, in spirit if not on the wire.
HTTP/1.0 (RFC 1945, 1996)
Added the request/response header model the rest of the protocol hangs off of:
| Header | Purpose |
|---|---|
Content-Type | Media type of the body |
Content-Length | Body size in bytes |
Last-Modified | When the resource last changed |
Expires | Cache freshness deadline |
Connection: keep-alive existed as a non-standard extension, but the default was still one TCP connection per request — the main performance limit.
HTTP/1.1 (RFC 2068 → 2616 → 7230-7235, reorganized as RFC 9110-9112 in 2022)
Persistent connections became the default. Pipelining was specified but never shipped in browsers — broken intermediaries and head-of-line blocking killed it. Chunked transfer encoding and richer caching arrived, plus:
| Header | Purpose |
|---|---|
Host | Required header, enabled HTTP virtual hosting |
Cache-Control | Caching policy (max-age, no-cache, etc.) |
ETag | Resource version for conditional requests |
Connection | Persistence semantics |
The HTTP/1.1 Upgrade mechanism is also the foothold for separate specs that ride on top: WebSockets (RFC 6455, 2011) does the upgrade handshake; Server-Sent Events (defined in WHATWG HTML, not HTTP) is a long-lived text/event-stream response. Neither is part of HTTP/1.1 itself.
HTTP/2 (RFC 7540, 2015)
Switched from text to a binary framing layer for unambiguous parsing. The headline feature is multiplexing — concurrent streams over a single TCP connection, eliminating connection-level head-of-line blocking. Headers compress with HPACK.
ALPN (a TLS extension, RFC 7301) is what actually negotiates HTTP/2 during the TLS handshake; HTTP/2 didn't introduce it but is the reason it got widely deployed. h2c (cleartext HTTP/2) exists in the spec but every browser requires TLS in practice.
Server push was introduced here, then quietly buried — Chrome removed support in 2022 and most stacks followed. RFC 7540's stream prioritization scheme was likewise deprecated and replaced by RFC 9218 (Extensible Priorities) in 2022.
HTTP/3 (RFC 9114, 2022)
Swaps TCP for QUIC (RFC 9000), running over UDP. QUIC was inspired by Google's gQUIC and substantially redesigned at the IETF. The wins:
- TLS 1.3 is built in — no separate TCP handshake before TLS, and there is no unencrypted QUIC variant
- Streams are independent at the transport layer, so a dropped packet stalls only its own stream instead of the whole connection — the head-of-line fix TCP couldn't give HTTP/2
- 0-RTT resumption for known peers; 1-RTT for new connections
HPACK was replaced with QPACK (RFC 9204) to handle out-of-order stream delivery. Multiplexing carries over from HTTP/2 conceptually, but in QUIC it's a transport-level feature instead of layered on top of TCP.