7.5.4. HTTP Versions and Component Ambiguity

Some message components are expressed in different ways across HTTP versions. For example, the authority of the request target is sent using the Host header field in HTTP/1.1 but with the :authority pseudo-header in HTTP/2. If a signer sends an HTTP/1.1 message and signs the Host header field but the message is translated to HTTP/2 before it reaches the verifier, the signature will not validate, as the Host header field could be dropped.

It is for this reason that HTTP message signatures define a set of derived components that define a single way to get the value in question, such as the @authority derived component (Section 2.2.3) in lieu of the Host header field. Applications should therefore prefer derived components for such options where possible.

7.5.4. HTTP Versions and Component Ambiguity​

7.5.4. HTTP Versions and Component Ambiguity