The IETF has published a bunch of new RFCs to update HTTP/1.1 specs and make the 15 year old 2616 obsolete:
Here I listed a few changes:
- Userinfo (i.e., username and password) are now disallowed in HTTP and HTTPS URIs, because of security issues related to their transmission on the wire.
- Header fields that span multiple lines ("line folding") are deprecated.
- Bogus Content-Length header fields are now required to be handled as errors by recipients.
- Gateways do not need to generate Via header fields anymore.
- The limit of two connections per server has been removed. An idempotent sequence of requests is no longer required to be retried. The requirement to retry requests under certain circumstances when the server prematurely closes the connection has been removed. Also, some extraneous requirements about when servers are allowed to close connections prematurely have been removed.
- The semantics of the Upgrade header field is now defined in responses other than 101
- The Expect header field's extension mechanism has been removed due to widely-deployed broken implementations.
- The "about:blank" URI has been suggested as a value for the Referer header field when no referring URI is applicable, which distinguishes that case from others where the Referer field is not sent or has been removed.
- The following status codes are now cacheable (that is, they can be stored and reused by a cache without explicit freshness information present): 204, 404, 405, 414, 501.
- The 201 (Created) status description has been changed to allow for the possibility that more than one resource has been created.
- Method Registry: http://www.iana.org/assignments/http-methods/http-methods.xhtml
- Status Code Registry: http://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Happy reading, happy implementing!