HTTP Protocol Upgrade Mechanism

When an active HTTP/1.1 connection needs to switch to a different protocol, the protocol upgrade mechanism handles the transition using the Upgrade and Connection headers without closing the existing connection. In practice, WebSocket is the primary protocol negotiated through this mechanism.

Table of Contents

Usage
Client-initiated upgrade
Server-initiated upgrade
WebSocket upgrade
Optimistic data risks
Handling 426 Upgrade Required
HTTP/2, HTTP/3, and protocol negotiation
- TLS ALPN
- websocket-over-http/2-and-http/3
See also

Usage

A protocol upgrade starts when the client sends an HTTP/1.1 request with the Upgrade header listing one or more desired protocols. The Connection header must include the Upgrade token because Upgrade is a hop-by-hop header.

The server is free to ignore the upgrade request. Supporting a protocol does not oblige the server to accept the switch. When the server agrees, the response is 101 Switching Protocols with the selected protocol in the Upgrade header. The original HTTP request continues under the new protocol once the switch completes.

When the server ignores the Upgrade header, a normal HTTP response such as 200 OK is returned and the connection remains on HTTP/1.1.

Hop-by-hop header

The Upgrade header is hop-by-hop, meaning each intermediary (proxy, load balancer, CDN) processes the header independently. Intermediaries are not required to forward the header. A reverse proxy sitting between client and server often terminates the upgrade request and establishes a separate connection to the backend.

Client-initiated upgrade

The client adds Upgrade and Connection to a standard HTTP request. Additional protocol-specific headers are included as needed. The server responds with 101 to accept or returns a regular response to decline.

The Upgrade header accepts a comma-separated list of protocol tokens. The order reflects client preference, with the most preferred protocol listed first.

Server-initiated upgrade

A server requiring a protocol change before fulfilling a request responds with 426 Upgrade Required. This informs the client the resource is available only over a different protocol. The response includes an Upgrade header listing the required protocol.

A common scenario: a server demands HTTPS before serving a confidential resource, returning 426 with Upgrade: TLS/1.0 and a Connection header containing the Upgrade token. The client then initiates a TLS connection.

There is no guarantee the server fulfills the request even after a successful upgrade.

WebSocket upgrade

The dominant real-world use of the protocol upgrade mechanism is establishing WebSocket connections over HTTP/1.1. The client sends a GET request with Upgrade: websocket along with the WebSocket handshake headers.

Request

GET /chat HTTP/1.1
Host: www.example.re
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13
Origin: https://example.re

Response

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

After the server returns 101, subsequent data flows as WebSocket frames rather than HTTP messages. The Sec-WebSocket-Key and Sec-WebSocket-Accept exchange confirms both sides understand the WebSocket protocol and prevents intermediary caches from replaying stale upgrade responses.

Optimistic data risks

Some clients send new-protocol data immediately after requesting an upgrade, before the server responds with 101 Switching Protocols. This optimistic approach reduces latency but creates a request smuggling vulnerability.

If the server rejects the upgrade and returns a normal HTTP response, the optimistic data stays in the connection buffer. An attacker controlling the data source crafts payloads the server interprets as valid HTTP requests. The server processes these as legitimate, letting the attacker issue requests under the client's identity and bypass access controls.

The same risk applies to the CONNECT method when proxy clients forward data from untrusted sources before receiving a 2xx confirmation.

Wait for server confirmation

Clients handling untrusted data sources must not send optimistic data on an HTTP/1.1 connection. Wait for 101 (Upgrade) or a 2xx response (CONNECT) before forwarding any new-protocol traffic. Sending Connection: close is an alternative safeguard preventing subsequent request smuggling on the same connection.

Handling 426 Upgrade Required

When a server responds with 426 Upgrade Required, the client must switch to the protocol specified in the Upgrade header before retrying the request. The response always includes an Upgrade header listing the required protocol.

HTTP/1.1 426 Upgrade Required
Upgrade: TLS/1.0
Connection: Upgrade

A client receiving this response over an unencrypted connection initiates a TLS handshake and retries the request over HTTPS. Misconfigured clients or those unable to support the required protocol fail with an error rather than retrying indefinitely.

Note

A 426 response is distinct from a 301 or 308 redirect to an HTTPS URL. Redirects instruct the client to re-request at a new location. A 426 tells the client to change the protocol on the current connection. In practice, HTTPS redirects are far more common than 426 responses for enforcing TLS.

HTTP/2, HTTP/3, and protocol negotiation

The protocol upgrade mechanism is specific to HTTP/1.1. HTTP/2 and HTTP/3 do not support the Upgrade header or the 101 status code.

The original HTTP/2 specification included an upgrade path using the h2c token in the Upgrade header for cleartext HTTP/2 connections. The current HTTP/2 specification deprecated this mechanism because the approach was never widely deployed. The h2c token must not be sent by clients or selected by servers.

TLS ALPN

Modern HTTP version negotiation relies on TLS Application-Layer Protocol Negotiation (ALPN). During the TLS handshake, the client sends a list of supported protocol identifiers and the server selects one. This negotiation completes within the TLS handshake without adding extra round-trips.

Common ALPN protocol identifiers:

Identifier Protocol

Identifier	Protocol
`http/1.1`	websocket-over-http/2-and-http/3- because-[[2">HTTP/2 lacks the Upgrade mechanism, WebSocket connections over HTTP/2 use the extended CONNECT method. The server advertises support through the `SETTINGS_ENABLE_CONNECT_PROTOCOL` setting, and the client sends a CONNECT request with `:protocol` set to `websocket`. The same approach extends to HTTP/3. WebSocket multiplexing The extended CONNECT method allows WebSocket traffic to share a single TCP connection (HTTP/2) or QUIC connection (HTTP/3) with regular HTTP streams, benefiting from multiplexing and flow control. See also RFC 9931: Security Considerations for Optimistic Protocol Transitions in HTTP/1.1 RFC 9110 Section 7.8: Upgrade RFC 7301: TLS ALPN Upgrade Connection 101 Switching Protocols 426 Upgrade Required WebSocket WebSocket Secure HTTP connection management HTTPS HTTP headers Last updated: April 4, 2026 HTTP Status Tester Test live and from different countries the HTTP responses, redirect chains and status codes of one or multiple URLs. Try it now! About the author Fili Technical SEO Consultant Fili is a former Google Search Engineer, and currently a Technical SEO Consultant at Search Brothers Status HTTP Status Codes overview 100 Continue 101 Switching Protocols 102 Processing 103 Early Hints 200 OK 201 Created 202 Accepted 203 Non-Authoritative Information 204 No Content 205 Reset Content 206 Partial Content 207 Multi-Status 208 Already Reported 218 This is fine 226 IM Used 300 Multiple Choices 301 Moved Permanently 302 Found 303 See Other 304 Not Modified 305 Use Proxy 306 Switch Proxy 307 Temporary Redirect 308 Permanent Redirect 400 Bad Request 401 Unauthorized 402 Payment Required 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable 407 Proxy Authentication Required 408 Request Timeout 409 Conflict 410 Gone 411 Length Required 412 Precondition Failed 413 Content Too Large 414 URI Too Long 415 Unsupported Media Type 416 Range Not Satisfiable 417 Expectation Failed 418 I'm a teapot 419 Page Expired 420 Method Failure or Enhance your calm 421 Misdirected Request 422 Unprocessable Content 423 Locked 424 Failed Dependency 425 Too Early 426 Upgrade Required 428 Precondition Required 429 Too Many Requests 430 Security Rejection 431 Request Header Fields Too Large 440 Login Time-out 444 No Response 449 Retry With 450 Blocked by Windows Parental Controls 451 Unavailable For Legal Reasons 460 Client closed connection prematurely 463 Too many forwarded IP addresses 464 Incompatible protocol 470 Request Denied 492 User Access Forbidden 493 Unsupported Browser 494 Request header too large 495 SSL Certificate Error 496 SSL Certificate Required 497 HTTP Request Sent to HTTPS Port 498 Invalid Token 499 Token Required or Client Closed Request 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Gateway Timeout 505 HTTP Version Not Supported 506 Variant Also Negotiates 507 Insufficient Storage 508 Loop Detected 509 Bandwidth Limit Exceeded 510 Not Extended 511 Network Authentication Required 520 Web Server Is Returning an Unknown Error 521 Web Server Is Down 522 Connection Timed Out 523 Origin Is Unreachable 524 A Timeout Occurred 525 SSL Handshake Failed 526 Invalid SSL Certificate 527 Railgun Listener to Origin 529 The Service Is Overloaded 530 Site Frozen 531 Upstream Connection Error 532 Response Too Large 533 Upstream TLS Error 534 Application Error 535 Unknown Application 536 HTTP Response Timeout 537 DNS Resolution Error 538 Request Loop 539 Serverless Timeout 540 Temporarily Disabled 541 Out of Workers 542 Database Error / Header Overflow 543 Communication Error / Upstream Timeout 544 Management Error / Invalid Host Header 545 Authentication Error / Component Not Ready 546 Unknown Application / TLS Error 547 No HTTP Response 548 Invalid Response / DNS Resolution Error 549 Authentication Gateway Error / Application Crash 552 Application Unreachable 553 Directory Service Error 554 Authentication Token Error 555 Application Does Not Support Kerberos 556 Unexpected Authentication Challenge 557 KDC Unreachable 558 Connection Limit Stop 559 Connection Limit Stop 561 Unauthorized 562 Credential Error 598 Network Read Timeout Error 599 Network Connect Timeout Error 600 Invalid Headers 893 Load Balancing Overflow 999 Request Denied Headers HTTP Headers overview A-IM Accept Accept-CH Accept-CH-Lifetime Accept-Charset Accept-Datetime Accept-Encoding Accept-Language Accept-Patch Accept-Post Accept-Ranges Accept-Signature Access-Control-Allow-Credentials Access-Control-Allow-Headers Access-Control-Allow-Methods Access-Control-Allow-Origin Access-Control-Expose-Headers Access-Control-Max-Age Access-Control-Request-Headers Access-Control-Request-Method Age Akamai-GRN Allow Alt-Svc Alt-Used Authentication-Info Authorization Available-Dictionary Cache-Control Cache-Group-Invalidation Cache-Groups Cache-Status Capsule-Protocol CDN-Cache-Control CDN-Loop Cf-Cache-Status Cf-Edge-Cache Cf-Mitigated Cf-Ray Clear-Site-Data Client-Cert Client-Cert-Chain Connection Content-Digest Content-Disposition Content-Encoding Content-Language Content-Length Content-Location Content-MD5 Content-Range Content-Security-Policy Content-Security-Policy-Report-Only Content-Type Cookie Critical-CH Cross-Origin-Embedder-Policy Cross-Origin-Embedder-Policy-Report-Only Cross-Origin-Opener-Policy Cross-Origin-Opener-Policy-Report-Only Cross-Origin-Resource-Policy Date Delta-Base Deprecation Device-Memory Dictionary-ID Digest DNT Document-Isolation-Policy Document-Isolation-Policy-Report-Only Document-Policy Downlink DPoP DPoP-Nonce Early-Data ECT Edge-Control ETag Expect Expect-CT Expires Feature-Policy Forwarded From GLB-X-Seen-By Host Host-Header HTTP2-Settings If-Match If-Modified-Since If-None-Match If-Range If-Unmodified-Since IM Incremental Keep-Alive Last-Event-ID Last-Modified Link Link-Template Location Max-Forwards Memento-Datetime MIME-Version NEL No-Vary-Search Onion-Location Origin Origin-Agent-Cluster Origin-Trial P3P Panel Permissions-Policy Ping-From Ping-To Platform Powered-By Pragma Prefer Preference-Applied Priority Proxy-Authenticate Proxy-Authentication-Info Proxy-Authorization Proxy-Status Public-Key-Pins Public-Key-Pins-Report-Only Purpose Range RateLimit-Limit RateLimit-Remaining RateLimit-Reset Referer Referrer-Policy Refresh Replay-Nonce Report-To Reporting-Endpoints Repr-Digest Request-Context Retry-After RTT Save-Data Sec-CH-Prefers-Color-Scheme Sec-CH-Prefers-Reduced-Motion Sec-CH-UA Sec-CH-UA-Arch Headers Sec-CH-UA-Bitness Sec-CH-UA-Full-Version-List Sec-CH-UA-Mobile Sec-CH-UA-Model Sec-CH-UA-Platform Sec-CH-UA-Platform-Version Sec-Fetch-Dest Sec-Fetch-Mode Sec-Fetch-Site Sec-Fetch-User Sec-GPC Sec-Purpose Sec-Speculation-Tags Sec-WebSocket-Accept Sec-WebSocket-Extensions Sec-WebSocket-Key Sec-WebSocket-Protocol Sec-WebSocket-Version Server Server-Timing Set-Cookie Shopify-Complexity-Score Signature Signature-Agent Signature-Input SourceMap Speculation-Rules Strict-Transport-Security Sunset Supports-Loading-Mode Surrogate-Control Surrogate-Key TE Timing-Allow-Origin Traceparent Traceresponse Tracestate Trailer Transfer-Encoding Upgrade Upgrade-Insecure-Requests Use-As-Dictionary User-Agent Vary Via Want-Content-Digest Want-Digest Want-Repr-Digest Warning WWW-Authenticate X-AC X-Adblock-Key X-Akamai-Transformed X-Amz-Cf-Id X-Amz-Cf-Pop X-Amz-Id-2 X-Amz-Request-Id X-Amz-Server-Side-Encryption X-Amz-Version-Id X-Amzn-RequestId X-Amzn-Trace-Id X-AspNet-Version X-AspNetMvc-Version X-Azure-Ref X-B3-TraceId X-Cache X-Cache-Group X-Cache-Hits X-Cache-Miss-From X-Cache-Status X-Cacheable X-CDN X-Clacks-Overhead X-Cloud-Trace-Context X-Content-Security-Policy X-Content-Type-Options X-ContextId X-Correlation-Id X-DC X-DNS-Prefetch-Control X-Domain X-Download-Options X-Drupal-Cache X-Drupal-Dynamic-Cache X-Envoy-Upstream-Service-Time X-Fastly-Request-Id X-FB-Debug X-Forwarded-For X-Forwarded-Host X-Forwarded-Proto X-Frame-Options X-Generator X-GitHub-Request-Id X-Hacker X-Host X-IInfo X-IPLB-Instance X-IPLB-Request-Id X-LiteSpeed-Cache X-LiteSpeed-Cache-Control X-LiteSpeed-Tag X-Matched-Path X-Meta-Site-Id X-Middleware-Rewrite X-MS-Request-Id X-Nextjs-Cache X-Nextjs-Prerender X-Nextjs-Stale-Time X-Nf-Request-Id X-Pcrew-Blocked-Reason X-Pcrew-Ip-Organization X-Permitted-Cross-Domain-Policies X-Pingback X-Powered-By X-Proxy-Cache X-RateLimit-Limit X-RateLimit-Remaining X-RateLimit-Reset X-Real-IP X-Redirect X-Redirect-By X-Request-ID X-Robots-Tag X-Runtime X-Seen-By X-Served-By X-ShardId X-ShopId X-SiteId X-Sorting-Hat-PodId X-Sorting-Hat-ShopId X-Storefront-Renderer-Rendered X-Sucuri-Id X-Timer X-Turbo-Charged-By X-UA-Compatible X-Varnish X-Vercel-Cache X-Vercel-Id X-Version X-WebKit-CSP X-Wix-Cache-Control X-Wix-Request-Id X-WS-RateLimit-Limit X-WS-RateLimit-Remaining X-XSS-Protection Methods HTTP Methods overview CONNECT DELETE GET HEAD OPTIONS PATCH POST PRI PUT QUERY TRACE HTTP Testing Tools HTTP Status Tester HTTP Compression Check HTTP/2 Check HTTP/3 Check HTTP Response API URL Parse API Content-Type Check HTTP Specifications HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/3 HTTP Authentication HTTP Caching Canonical URLs Client Hints HTTP Compression HTTP Conditional Requests HTTP Content Negotiation HTTP Cookies Cross-Origin Resource Sharing (CORS) Data URLs HTTP Explained Hreflang HTTP Strict Transport Security HTTP Connection Management HyperText Transfer Protocol Secure (HTTPS) HyperText Transfer Protocol (HTTP) HTTP Media Types Oblivious HTTP Origins Percent-Encoding Problem Details for HTTP APIs HTTP Protocol Upgrade Mechanism Punycode HTTP Range Requests HTTP Redirections HTTP Request Resource Hints HTTP Response A Typical HTTP Session Soft 404s HTTP Streaming HTTP Structured Fields Uniform Resource Identifier (URI) Uniform Resource Locator (URL) Uniform Resource Name (URN) WebDAV Well-Known URIs WHIP (WebRTC-HTTP Ingestion Protocol) WebSocket WebSocket Secure (wss://) Made with ♥ by Technical SEO Consultant Fili © 2022 - 2026 Licensed under CC BY-NC-ND 4.0

http/1.1

websocket-over-http/2-and-http/3-

because-[[2">HTTP/2 lacks the Upgrade mechanism, WebSocket connections over HTTP/2 use the extended CONNECT method. The server advertises support through the SETTINGS_ENABLE_CONNECT_PROTOCOL setting, and the client sends a CONNECT request with :protocol set to websocket. The same approach extends to HTTP/3.

WebSocket multiplexing

The extended CONNECT method allows WebSocket traffic to share a single TCP connection (HTTP/2) or QUIC connection (HTTP/3) with regular HTTP streams, benefiting from multiplexing and flow control.