HTTP / TLS — Notes

Numbers worth memorising

• TLS 1.3 handshake: 1 RTT (0-RTT for resumption).
• HTTP/2 default max concurrent streams: 100.
• HPACK dynamic table default: 4 KB.
• QUIC default idle timeout: 30 s.

Practical advice

• Don't terminate TLS in app servers — use a dedicated edge (NGINX, Envoy, ALB).
• Force HTTPS at edge; HSTS with preload if you control all subdomains.
• Pre-load certs into HSM/KMS; rotate via ACME (Let's Encrypt).
• Pin cipher list to TLS 1.3 AEAD only internally.
• HTTP/2 over plaintext (h2c) is technically allowed but no browser supports it.

Gotchas

• Connection: close defeats keep-alive (slow performance).
• gRPC over HTTP/2 — long-lived streams + RST_STREAM mid-call for cancellation.
• HTTP/2 server push is effectively dead (Chrome 106 removed support).
• 0-RTT replay attacks — never use for non-idempotent ops.

Refs

• RFC 9110/9112 (HTTP/1.1), RFC 9113 (HTTP/2), RFC 9114 (HTTP/3).
• RFC 8446 (TLS 1.3).
• High Performance Browser Networking — Ilya Grigorik (free online).
• Cloudflare blog on QUIC migration.