8. Security Considerations

The security considerations of HTTP [HTTP] apply to the use of the binary format. The binary format permits the encoding of all HTTP messages, including those with security-relevant attributes.

Key security considerations:

1. Message Integrity - Recipients MUST validate that messages conform to the format specification

2. Size Limits - Implementations SHOULD impose limits on message and field sizes to prevent resource exhaustion

3. Field Name Case - Implementations MUST convert field names to lowercase to prevent case-sensitivity attacks

4. Truncation - Truncated messages must be detected and handled appropriately

5. Authenticated Encryption - This format enables authenticated encryption of entire messages, which can protect against tampering

6. Information Exposure - Binary encoding may reduce some information exposure compared to text encodings

7. Invalid Messages - Implementations MUST treat invalid messages as errors and MUST NOT forward them

The use of authenticated encryption (e.g., AEAD algorithms) with binary HTTP messages can provide confidentiality and integrity protection for the entire message, including headers and content.