matthyk's blog
Back to blog
3 min read
Why Semantic HTTP Conformance Matters

HTTP conformance refers to how closely an implementation follows the requirements defined by the HTTP specifications.

In practical terms, conformance covers both protocol syntax and protocol semantics. Syntax conformance focuses on whether messages are formed and transmitted correctly (for example, framing, header processing, and transfer behavior). Semantic conformance focuses on whether those messages communicate the intended HTTP meaning as defined by the standard.

A simple example is authentication failure handling. If a protected resource is requested without valid credentials, a conformant semantic response uses an authentication-related status code such as 401 Unauthorized (or 403 Forbidden where appropriate), rather than a generic 400 Bad Request. This distinction is not merely stylistic: the status code communicates machine-actionable meaning to clients.

There is already substantial research [1] [2] [3] showing that conformance can be security-critical and can create attack surfaces when implementations diverge from the standard. Much of this work focuses on syntax-level conformance: how data is encoded, framed, and transmitted over the protocol.

Semantic conformance, however, focuses on what is being communicated. The semantics of HTTP are defined in RFC 9110 [4] and RFC 9111 [5], while the wire-level transmission details are defined in the RFCs for each HTTP version.

And why it matters?

When a user agent, whether human or agentic AI, interacts with an HTTP API, it relies on the interface behaving as documented. That includes behavior in API descriptions such as OpenAPI, but also behavior defined directly by the HTTP specification.

Returning to the status code example above: if an origin server returns 400 Bad Request for missing authentication and only hints at the real issue in the response body, a human client may still recover. An autonomous agent will often struggle more. If the server returns 401 Unauthorized or 403 Forbidden instead, the response semantics are immediately clear and the client can react correctly.

Another example is sending validators such as ETag or Last-Modified headers where appropriate. Omitting them may not create direct security issues, but it makes caching significantly harder and leaves one of HTTP’s most powerful response-time optimization mechanisms underused.

In short, it is worth consulting the specification when implementing HTTP APIs: semantic conformance improves interoperability, reliability, and machine-actionable behavior.

References

[1] Rautenstrauch, J., and Stock, B. (2024). Who’s Breaking the Rules? Studying Conformance to the HTTP Specifications and its Security Impact. In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, 843-855.

[2] Benhabbour, I., Attia, M., and Dacier, M. (2025). HTTP Conformance vs. Middleboxes: Identifying Where the Rules Actually Break Down. In International Conference on Passive and Active Network Measurement, 155-181. Springer.

[3] Attia, M., Benhabbour, I., and Dacier, M. (2025). The Developer, the RFC, and the Middlebox: An HTTP/2 Compliance Story. In Proceedings of the 2025 ACM Internet Measurement Conference, 258-273.

[4] Fielding, R., Nottingham, M., and Reschke, J. (2022). RFC 9110: HTTP Semantics. https://www.rfc-editor.org/rfc/rfc9110

[5] Fielding, R., Nottingham, M., and Reschke, J. (2022). RFC 9111: HTTP Caching. https://www.rfc-editor.org/rfc/rfc9111