HPACK: HTTP/2’s Hidden Gem

Shalom Carmel Chief Information Officer at GlobalDots
5 Min read

If your business relies heavily on online assets, then for sure you have already switched to HTTP/2, the new and improved protocol to deliver online content. New features like server push, full multiplexing and improved parallelism, along with attached advanced technologies, make the performance gains quite obvious with HTTP/2. Right next to the performance boost there’s the security aspect, greatly because of all major clients like Firefox, Chrome, Safari, Opera, etc. stated they will only support HTTP/2 over Transfer Layer Security (TLS). This makes encryption practically mandatory, with HTTP/2 actually becoming a HTTPS (HTTP “Secured”). Also, since Google clearly pushes the security segment as an increasingly important ranking factor, delivering content over HTTP/2, which ultimately translates to HTTPS, boosts your SEO efforts as well as performance. Major CDN providers report constant and increased adoption of the new protocol which suggests HTTP/2 will definitely become even more dominant in recent future.

However, while it’s safe to say that the switch to HTTP/2 is a trend, many companies still fail to fully leverage all the benefits and features that the new protocol offers. One such hidden gem is this one features that keeps hiding under the radar and is yet to be fully recognized. We’re talking about the header compression feature – HPACK.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%
Illustration of HPACK header compression process between device and server.
Image Source

Tweet this: HPACK – The HTTP/2 hidden gem

The Background

Back in the old HTTP era, all the compression was executed within the TLS with gzip and using DEFLATE, a lossless data compression algorithm, to reduce both header and body payloads. Then came the SPDY protocol, developed mainly by Google, which was used to shape HTTP traffic in order to reduce load latency and provide a better security structure. SPDY also introduced a new compression algorithm designed specifically for headers which still used DEFLATE along with dynamic Huffman codes and string matching algorithms. The gains were short lived as soon it became clear it was quite vulnerable to CRIME attacks (Compression Ratio Info-leak Made Easy), a security exploit used to recover the content of authentication cookies which then allowed hackers to perform session hijacking and launch further attacks. The discovered vulnerability pushed network providers to fully disable header compression. And it was so until HTTP/2 took the scene.

Diagram illustrating steps of an attacker injecting code and capturing requests.
Image Source

Tweet this: Due to security issues, header compression was fully disabled until HTTP/2

Header Compression With HPACK

With SPDY, the header compression was executed within a single gzip context in each direction for header compression. This solution was rather simple to implement and proved as efficient. Since the implementation of SPDY, major security flaws were spotted in the process of header compression and a particular vulnerability to earlier mentioned CRIME attacks. HTTP/2 was developed with attacks like CRIME in mind and its dedicated header compression algorithm HPACK is now considered safe to use.

You may ask yourself to why do we even need header compression? As pointed out on Github’s HTTP/2 FAQ page, assuming a page has 80 assets and each request results in 1400 bytes of header, it takes at least 7-8 roundtrips to deliver all the headers to the client. This is largely due to TCP’s Slow Start implementation which sets up new connections based on the number of confirmed packets, thus resulting in a limited amount of packets for the first few roundtrips. Even a low level of compression on headers greatly reduces roundtrips and payload, and can help deliver the request within just one roundtrip, or even within a single packet.

Using HPACK that’s exactly what happens. Headers can now be compressed using Huffman encoding which results in an average 30% reduction of header size. As KeyCDN pointed out in their blogpost, the 3 main benefits of HPACK are:

  • Resilient against compression based attacks (CRIME)
  • Fixed Huffman codes allow encoding of large headers
  • Frequently used headers can be encoded as variable length integer, opposed to re-sending the whole header every time

Essentially, the Huffman encoding algorithm operates by assigning binary codes to most commonly used characters. When a HPACK header is received, it gets looked up in the list of binary codes. This way the header can access frequently used characters compressed in smaller packets which in turn results in less bits required to complete the transmission. Previously, an accept string encoded with 7 bits per character would require 6 bytes while the HPACK version only takes 2 bytes. It means less data gets transferred which ultimately results in improved web performance.

Comparison of HTTP/1 and HTTP/2 speeds with a visual representation of loading times.
Image Source

Tweet this: HPACK benefits: Resilient to CRIME attacks, large headers encoding & frequently used headers

A proof of the efficiency of HPACK header compression is provided by CloudFlare. They monitored request and response headers within their network and found that total ingress traffic with HTTP/2’s HPACK was reduced by 53%. The analysis also pointed out that CloudFlare’s infrastructure processes the same number of requests for HTTP/1 and HTTP/2 over HTTPS, but with ingress traffic for HTTP/2 amounting at merely half of the HTTP/1.

As for response headers (egress traffic) the gains were not that substantial but still relevant. Total egress traffic resulted in modest 1.4% savings. Although it’s not much at first glance, on a larger scale even minimal savings of that amount could result in significant reduction of traffic.

Worth mentioning is the fact that HPACK uses indexing. It consists of a table filled with frequently used headers (e.g. user-agent) which means once a header contained in the list is sent, HPACK will use the index from the table opposed to the literal string.

Conclusion

With header compression once again being available without security issues attached, significant savings can be achieved in terms of transferred payload and load times. As this post points out, HTTP/2 HPACK compression enables substantially faster content delivery. By implementing HPACK compression for HTTP headers, the responses will be faster and smaller. It all translates to significantly reduced ingress and egress bandwidth.

Taking all of the above stated in consideration, it is safe to say that there has never been a better time to migrate to HTTPS and take full advantage of its benefits. Is your site or CDN provider already running over HTTP/2 yet? Are you taking advantage of the HPACK feature? Make sure to find out. And if you need help on the matter, feel free to contact our experts at Globaldots for everything web performance and security related.

Latest Articles

Complying with AWS’s RI/SP Policy Update: Save More, Stress Less

Shared Reserved Instances (RIs) and Savings Plans (SPs) have been a common workaround for reducing EC2 costs, but their value has always been limited. On average, these shared pools deliver only 25% savings on On-Demand costs—far below the 60% savings achievable with automated reservation tools. For IT and DevOps teams, the trade-offs include added complexity, […]

Itay Tal Head of Cloud Services
5th December, 2024
The Future of Cybersecurity: Shlomo Kramer’s Bold Predictions for the SASE Era

What does the next decade of cybersecurity hold? Few can answer that better than Shlomo Kramer—co-founder of Check Point and Imperva, and founder & CEO of Cato Networks. In a candid conversation on the CloudNext podcast, Shlomo shared bold predictions and actionable strategies for navigating the challenges and opportunities ahead. From the rise of SASE […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
4th December, 2024
Three Ways CISOs Can Combat Emerging Threats in 2025

73% of CISOs fear a material cyberattack in the next 12 months, with over three-quarters convinced AI is advancing too quickly for existing methods to combat it. But what can CISOs do to prepare for the coming wave – and access the resources they need to deal with this evolving threat landscape? To find out, […]

11th November, 2024
How Optimizing Kafka Can Save Costs of the Whole System

Kafka is no longer exclusively the domain of high-velocity Big Data use cases. Today, it is utilized on by workloads and companies of all sizes, supporting asynchronous communication between even small groups of microservices.  But this expanded usage has led to problems with cost creep that threaten many companies’ bottom lines. And due to the […]

Itay Tal Head of Cloud Services
29th September, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services