http1.dev HTTP/1.x must die

The Problem: HTTP/1.x is inhariantly insecure

HTTP/1.0 and HTTP/1.1 are fundamentally broken and insecure by modern standards. They suffer from critical flaws that cannot be fully fixed without replacing the protocol itself.

For a detailed technical breakdown of why HTTP/1.x must die, see the excellent site: https://http1mustdie.com/

Recommended practices

We are not asking to kill HTTP/1.x support overnight. Legacy systems exist. Old industrial controllers, embedded devices, ancient monitoring scripts, and unpatchable hardware still speak only HTTP/1.0 or 1.1. These devices must continue to receive a valid response when they connect.

What we recommended instead:

• HTTP/1.x must be supported only as a compatibility fallback.
• It must never carry application logic or sensitive data.
• It must never be possible to force or downgrade a connection to HTTP/1.x when the client and server both support HTTP/2 or HTTP/3.

In practice this means:

• Always negotiate the highest protocol version via ALPN (h2, h3). Modern browsers and servers already do this.
• Respond with HTTP/1.1 only when the client explicitly speaks HTTP/1.x first.
• Never allow protocol downgrade attacks.
• Treat any successful downgrade as a configuration failure.

Keeping HTTP/1.x alive for dusty legacy corners is acceptable, but can be disabled if you want to be more strict and your users are not using legacy devices.