WP HTTP/2 is Here: What You Need to Know | Imperva

HTTP/2 is Here: What You Need to Know

HTTP/2 is Here: What You Need to Know

Our new HTTP/2 website is here! We’re very pleased to announce our support for HTTP/2 today and are committed to helping our customers make the transition to HTTP/2. Later this month we will start rolling out HTTP/2 as a service upgrade for all of our customers.

A Brief History of HTTP/2

In development by the HTTP Working Group since 2012, HTTP/2 was finally approved by the Internet Engineering Task Force (IETF) this past February and continues to be adopted. How will HTTP/2 impact your websites, and what will you need to do to prepare for its deployment?

As you have heard, HTTP/2 is the latest update to the hypertext transport protocol—it’s how browsers communicate with web servers and how pages are rendered within them. Since 1999, the HTTP version has enjoyed remarkable longevity, but is showing its age. Modern websites typically use many design elements that go beyond simple HTML—including CSS, JavaScript and Flash animation. None of which were in use when HTTP was first created; developers have used them as a way of working around HTTP’s inherent limitations.

Google played an important role in making HTTP/2 a reality; its SPDY project was an early attempt at updating HTTP and can be viewed as a HTTP/2 precursor.

How Will HTTP/2 Benefit Websites?

When using HTTP to surf a website, the initial request results in the requested page. Additional items attached to it, such as JavaScript or images, need to be discovered, each of which requires a separate request to retrieve it.

HTTP/2 provides browser multiplexing, where multiple requests can be passed through a single server connection. The server, in turn, has the ability to push several resources at once, thereby reducing the need for multiple trips. One benefit is improved website performance since it’s not necessary to create a new connection every time a request is made.

By pushing all affiliated components at the same time, HTTP/2 reduces the strain on network resources, while pages load more efficiently for the end user. An example posted by HttpWatch demonstrated a 20 percent increase in transfer speed over HTTP.

HTTP/2 also has special security requirements. There was some earlier debate within the IETF team about requiring always-on encryption as part of the HTTP/2 rollout, but it eventually decided that enforcing encryption in all circumstances was not optimal. Even so, HTTP/2 servers will still find it advantageous to choose to use encryption, as doing so will let them work with the widest selection of browsers. Currently there is no browser that supports HTTP/2 unencrypted, so while encryption isn’t required by the IETF team as part of an HTTP/2 rollout, it is highly recommended.

Because HTTP/2 uses fewer connections, servers will experience a decreased load, especially during periods of heavy network traffic. Instead of opening four connections to open one page, as HTTP does, HTTP/2 only opens one connection per host, freeing up network traffic for other requests.

HTTP/2 also transfers information in binary code. With HTTP, data is sent via text, then translated by the host through parsing. Eliminating this process speeds up connections, but eliminates the option of humans being able to read the information without having a tool to translate it. The latter could be a disadvantage for system analysts who are accustomed to going through processes line by line for troubleshooting.

What Is the HTTP/2 Adoption Plan?

Major browsers, such as Chrome and Firefox, already include HTTP/2 support in their latest versions. Google will be phasing out its SPDY project by early 2016. It’s unknown how this will impact sites still using HTTP, but Google is allowing the extra time so developers can either move to the new protocol or, if they aren’t ready to upgrade to HTTP/2, revert to HTTP/1.1 to avoid the problems they might experience with SPDY (as they do to meet the needs of other browser types).

Web servers, however, generally have longer update cycles and will therefore take longer to implement HTTP/2. Apache and Nginx currently support HTTP/2, while others are in the process of adopting the new protocol.

How Should Developers Prepare?

HTTP/2 requires developers to unlearn a lot of tricks they employed to overcome the limitations of HTTP. Design hacks developed to make HTTP run faster, such as CSS sprites and inlining, can create issues when used with HTTP/2.

In addition, since HTTP/2 is binary, some network inspection/management techniques and tools that you’ve relied on in the past will no longer be useful. For example, plain-text debugging is no longer an option. Therefore monitoring tools will need upgrading as soon as HTTP/2-friendly updates are rolled out.

Web server frameworks will also have to be updated to support HTTP/2, although some, like Yesod and Express, are already compliant and may simply require that an ops specialist enable the protocol.


The benefits of HTTP/2 are many, but the updated protocol will require developers to change some their ways. As for us at Incapsula, we are making changes so that your site can take advantage of what the new protocol can offer. Stay tuned for future blogs on HTTP/2 and updates from us.