HTTPAPI Working Group S. Dalal
Internet-Draft
Intended status: Standards Track E. Wilde
Expires: February 23, 2025 August 22, 2024
The Deprecation HTTP Header Field
draft-ietf-httpapi-deprecation-header-05
Abstract
The Deprecation HTTP response header field is used to signal to
consumers of a resource (in the sense of URI) that the resource will
be or has been deprecated. Additionally, the deprecation link
relation can be used to link to a resource that provides additional
information about planned or existing deprecation, and possibly ways
in which clients can best manage deprecation.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
.
Discussion of this document takes place on the HTTPAPI Working Group
mailing list (), which is archived at
. Subscribe at
. Working Group
information can be found at .
Source for this draft and an issue tracker can be found at
.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
Dalal & Wilde Expires February 23, 2025 [Page 1]
�
Internet-Draft The Deprecation HTTP Header Field August 2024
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 23, 2025.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3
2. The Deprecation HTTP Response Header Field . . . . . . . . . 3
2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. The Deprecation Link Relation Type . . . . . . . . . . . . . 5
3.1. Documentation . . . . . . . . . . . . . . . . . . . . . . 5
4. Sunset . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5. Resource Behavior . . . . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6.1. The Deprecation HTTP Response Header Field . . . . . . . 7
6.2. The Deprecation Link Relation Type . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1. Normative References . . . . . . . . . . . . . . . . . . 8
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Implementation Status . . . . . . . . . . . . . . . 9
A.1. Implementing the Deprecation Header Field . . . . . . . . 9
A.2. Implementing the Concept . . . . . . . . . . . . . . . . 11
Appendix B. Changes from Draft-04 . . . . . . . . . . . . . . . 12
Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
Dalal & Wilde Expires February 23, 2025 [Page 2]
�
Internet-Draft The Deprecation HTTP Header Field August 2024
1. Introduction
Deprecation of an HTTP resource (Section 3.1 of [HTTP]) communicates
information about the lifecycle of a resource. It encourages
applications to migrate away from the resource, discourages
applications from forming new dependencies on the resource, and
informs applications about the risk of continued dependence upon the
resource.
The act of deprecation does not change any behavior of the resource.
It informs clients of the fact that a resource will be or is
deprecated. The Deprecation HTTP response header field can be used
to convey this at runtime to clients and carries information
indicating when the deprecation will be in effect.
In addition to the Deprecation header field, the resource provider
can use other header fields to convey additional information related
to deprecation. This can be information such as where to find
documentation related to the deprecation, what can be used as a
replacement, and when a deprecated resource becomes non-operational.
1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document uses the terminology from Section 3 of
[STRUCTURED-FIELDS] to specify syntax and parsing of Date.
The term "resource" is to be interpreted as defined in Section 3.1 of
[HTTP].
2. The Deprecation HTTP Response Header Field
The "Deprecation" HTTP response header field allows a server to
communicate to a client that the resource in context of the message
is or will be deprecated.
2.1. Syntax
The "Deprecation" response header field describes the deprecation of
the resource identified with the response it occurred within (see
Section 6.4.2 of [HTTP]). It conveys the deprecation date, which may
be in the future (the resource context will be deprecated at that
date) or in the past (the resource context has been deprecated at
Dalal & Wilde Expires February 23, 2025 [Page 3]
�
Internet-Draft The Deprecation HTTP Header Field August 2024
that date). "Deprecation" is an Item Structured Header [RFC8941].
Refer to Section 3.3.7 of [STRUCTURED-FIELDS] for ABNF of "sf-date":
Deprecation = sf-date
The date is the date when the resource was or will be deprecated. It
is in the form of an Structured Field Date as defined in
Section 3.3.7 of [STRUCTURED-FIELDS].
The following example shows that the resource context has been
deprecated on Friday, June 30, 2023 at 23:59:59 GMT:
Deprecation: @1688169599
The deprecation date can be in the future. This means that the
resource will be deprecated at the indicated date in the future.
2.2. Scope
The Deprecation header field applies to the resource identified with
the response it occurred within (see Section 6.4.2 of [HTTP]),
meaning that it announces the upcoming deprecation of that specific
resource. However, there may be scenarios where the scope of the
announced deprecation is larger than just the single resource where
it appears.
Resources are free to define such an increased scope, and usually
this scope will be documented by the resource so that consumers of
the resource know about the increased scope and can behave
accordingly. When doing so, it is important to take into account
that such increased scoping is invisible for consumers who are
unaware of the increased scoping rules. This means that these
consumers will not be aware of the increased scope, and they will not
interpret deprecation information different from its standard meaning
(i.e., it applies to the resource only).
Using such an increased scope still may make sense, as deprecation
information is only a hint anyway. It is optional information that
cannot be depended on, and clients should always be implemented in
ways that allow them to function without Deprecation information.
Increased scope information may help clients to glean additional
hints from related resources and, thus, might allow them to implement
behavior that allows them to make educated guesses about resources
becoming deprecated.
For example, an API might not use Deprecation header fields on all of
its resources, but only on designated resources such as the API's
home document. This means that deprecation information is available,
Dalal & Wilde Expires February 23, 2025 [Page 4]
�
Internet-Draft The Deprecation HTTP Header Field August 2024
but in order to get it, clients have to periodically inspect the home
document. In this example, the extended context of the Deprecation
header field would be all resources provided by the API, while the
visibility of the information would only be on the home document.
3. The Deprecation Link Relation Type
In addition to the Deprecation HTTP header field, the server can use
links with the "deprecation" link relation type to communicate to the
client where to find more information about deprecation of the
context. This can happen before the actual deprecation, to make a
deprecation policy discoverable, or after deprecation, when there may
be documentation about the deprecation, and possibly documentation of
how to manage it.
This specification places no restrictions on the representation of
the linked deprecation policy. In particular, the deprecation policy
may be available as human-readable documentation or as machine-
readable description.
3.1. Documentation
The purpose of the "Deprecation" header field is to provide a hint
about deprecation to the resource consumer. Upon reception of the
"Deprecation" header field, the client developer can look up the
resource's documentation in order to find deprecation related
information. The documentation MAY provide a guide and timeline to
migrate away from the deprecated resource to a new resource(s)
replacing the deprecated resource, if applicable. The resource
provider can provide a link to the resource documentation using a
"Link" header field with relation type "deprecation" as shown below:
Link: ;
rel="deprecation"; type="text/html"
In this example the linked content provides additional information
about deprecation of the resource context. There is no Deprecation
header field in the response, and thus the resource is not (yet)
deprecated. However, the resource already exposes a link where
information is available describing how deprecation is managed for
the resource. This may be the documentation explaining under which
circumstances and with which policies deprecation might take place.
For example, a policy may indicate that deprecation of a resource(s)
will always be signaled in the dedicated places at least N days ahead
of the planned deprecation date and then only the resource(s) would
be deprecated. Or a policy may indicate that resource(s) would be
deprecated first and then only be signaled as deprecated at dedicated
places. The documentation in addition to the deprecation policy may
Dalal & Wilde Expires February 23, 2025 [Page 5]
�
Internet-Draft The Deprecation HTTP Header Field August 2024
also provide a migration guide exaplaining to consumers of the
resource how to migrate to a new resource(s) or an alternate
resource(s) before the deprecation date. Such policy and
documentation would be very useful to consumers of the resource to
plan ahead and migrate successfully.
The following example uses the same link header field, but also
announces a deprecation date using a Deprecation header field:
Deprecation: @1688169599
Link: ;
rel="deprecation"; type="text/html"
Given that the deprecation date is in the past, the linked
information resource may have been updated to include information
about the deprecation, allowing consumers to discover information
about the deprecation and how to best manage it.
4. Sunset
In addition to the deprecation related information, if the resource
provider wants to convey to the client application that the
deprecated resource is expected to become unresponsive at a specific
point in time, the Sunset HTTP header field [RFC8594] can be used in
addition to the "Deprecation" header field.
The timestamp given in the "Sunset" header field MUST NOT be earlier
than the one given in the "Deprecation" header field.
The following example shows that the resource in context has been
deprecated since Friday, June 30, 2023 at 23:59:59 GMT and its sunset
date is Sunday, June 30, 2024 at 23:59:59 GMT. Please note that for
historical reasons the Sunset HTTP header field uses a different data
type for date.
Deprecation: @1688169599
Sunset: Sun, 30 Jun 2024 23:59:59 GMT
5. Resource Behavior
The act of deprecation does not change any behavior of the resource.
Deprecated resources SHOULD keep functioning as before, allowing
consumers to still use the resources in the same way as they did
before the resources were declared deprecated.
Dalal & Wilde Expires February 23, 2025 [Page 6]
�
Internet-Draft The Deprecation HTTP Header Field August 2024
6. IANA Considerations
6.1. The Deprecation HTTP Response Header Field
The "Deprecation" response header field should be added to the
"Hypertext Transfer Protocol (HTTP) Field Name Registry" registry
(Section 16.3.1 of [HTTP])
Header Field Name: Deprecation
Applicable Protocol: Hypertext Transfer Protocol (HTTP)
Status: Standard
Author: Sanjay Dalal ,
Erik Wilde
Change controller: IETF
Specification document: this specification,
Section 2 "The Deprecation HTTP Response Header Field"
6.2. The Deprecation Link Relation Type
The "deprecation" link relation type should be added to the permanent
registry of link relation types (Section 4.2 of [LINK]).
Relation Type: deprecation
Applicable Protocol: Hypertext Transfer Protocol (HTTP)
Status: Standard
Author: Sanjay Dalal ,
Erik Wilde
Change controller: IETF
Specification document: this specification,
Section 3 "The Deprecation Link Relation Type"
7. Security Considerations
The Deprecation header field should be treated as a hint, meaning
that the resource is indicating (and not guaranteeing with certainty)
that it will be or is deprecated. Deprecated resources MUST function
(almost) as before, even though one might consider non-functional
Dalal & Wilde Expires February 23, 2025 [Page 7]
�
Internet-Draft The Deprecation HTTP Header Field August 2024
details such as making them progressively less efficient with longer
response time for example.
Resource documentation SHOULD provide additional information about
the deprecation, such as including recommendation(s) for replacement.
Applications consuming the resource SHOULD check the referred
resource documentation to verify authenticity and accuracy. In cases
where a "Link" header field is used to provide documentation, one
should assume (unless served over HTTPS) that the content of the
"Link" header field may not be secure, private or integrity-
guaranteed, and due caution should be exercised when using it. Also,
in cases where the Deprecation header field value is a date in the
future, it can lead to information that otherwise might not be
available. Therefore, applications consuming the resource SHOULD, if
possible, consult the resource developer to discuss potential impact
due to deprecation and plan for possible transition to a recommended
resource(s).
8. References
8.1. Normative References
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022,
.
[LINK] Nottingham, M., "Web Linking", RFC 8288,
DOI 10.17487/RFC8288, October 2017,
.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, .
[RFC8941] Nottingham, M. and P. Kamp, "Structured Field Values for
HTTP", RFC 8941, DOI 10.17487/RFC8941, February 2021,
.
[RFC9111] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Caching", STD 98, RFC 9111,
DOI 10.17487/RFC9111, June 2022,
.
Dalal & Wilde Expires February 23, 2025 [Page 8]
�
Internet-Draft The Deprecation HTTP Header Field August 2024
[STRUCTURED-FIELDS]
Nottingham, M. and P. Kamp, "Structured Field Values for
HTTP", draft-ietf-httpbis-sfbis-06 (work in progress),
April 2024.
8.2. Informative References
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", BCP 205,
RFC 7942, DOI 10.17487/RFC7942, July 2016,
.
[RFC8594] Wilde, E., "The Sunset HTTP Header Field", RFC 8594,
DOI 10.17487/RFC8594, May 2019,
.
Appendix A. Implementation Status
Note to RFC Editor: Please remove this section before publication.
This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in [RFC7942].
The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to
RFCs. Please note that the listing of any individual implementation
here does not imply endorsement by the IETF. Furthermore, no effort
has been spent to verify the information presented here that was
supplied by IETF contributors. This is not intended as, and must not
be construed to be, a catalog of available implementations or their
features. Readers are advised to note that other implementations may
exist.
According to RFC 7942, "this will allow reviewers and working groups
to assign due consideration to documents that have the benefit of
running code, which may serve as evidence of valuable experimentation
and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as
they see fit".
A.1. Implementing the Deprecation Header Field
This is a list of implementations that implement the deprecation
header field:
Organization: Apollo
Dalal & Wilde Expires February 23, 2025 [Page 9]
�
Internet-Draft The Deprecation HTTP Header Field August 2024
o Description: Deprecation header field is returned when deprecated
functionality (as declared in the GraphQL schema) is accessed
o Reference: https://www.npmjs.com/package/apollo-server-tools
Organization: Zalando
o Description: Deprecation header field is recommended as the
preferred way to communicate API deprecation in Zalando API
designs.
o Reference: https://opensource.zalando.com/restful-api-
guidelines/#deprecation
Organization: Palantir Technologies
o Description: Deprecation header field is incorporated in code
generated by conjure-java, a CLI to generate Java POJOs and
interfaces from Conjure API definitions
o Reference: https://github.com/palantir/conjure-java
Organization: IETF Internet Draft, Registration Protocols Extensions
o Description: Deprecation link relation is returned in Registration
Data Access Protocol (RDAP) notices to indicate deprecation of
jCard in favor of JSContact.
o Reference: https://tools.ietf.org/html/draft-loffredo-regext-rdap-
jcard-deprecation
Organization: E-Voyageurs Technologies
o Description: Deprecation header field is incorporated in
Hesperides, a configuration management tool providing universal
text file templating and properties editing through a REST API or
a webapp.
o Reference: https://github.com/voyages-sncf-
technologies/hesperides/blob/master/documentation/lightweight-
architecture-decision-records/deprecated_endpoints.md
Organization: Open-Xchange
o Description: Deprecation header field is used in Open-Xchange
appsuite-middleware
o Reference: https://github.com/open-xchange/appsuite-middleware
Dalal & Wilde Expires February 23, 2025 [Page 10]
�
Internet-Draft The Deprecation HTTP Header Field August 2024
Organization: MediaWiki
o Description: Core REST API of MediaWiki would use Deprecation
header field for endpoints that have been deprecated because a new
endpoint provides the same or better functionality.
o Reference: https://phabricator.wikimedia.org/T232485
A.2. Implementing the Concept
This is a list of implementations that implement the general concept,
but do so using different mechanisms:
Organization: Zapier
o Description: Zapier uses two custom HTTP header fields named "X-
API-Deprecation-Date" and "X-API-Deprecation-Info"
o Reference: https://zapier.com/engineering/api-geriatrics/
Organization: IBM
o Description: IBM uses a custom HTTP header field named
"Deprecated"
o Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/
com.ibm.qradar.doc/c_rest_api_getting_started.html
Organization: Ultipro
o Description: Ultipro uses the HTTP "Warning" header field as
described in Section 5.5 of [RFC9111] with code "299"
o Reference: https://connect.ultipro.com/api-deprecation
Organization: Clearbit
o Description: Clearbit uses a custom HTTP header field named "X-
API-Warn"
o Reference: https://blog.clearbit.com/dealing-with-deprecation/
Organization: PayPal
o Description: PayPal uses a custom HTTP header field named "PayPal-
Deprecated"
Dalal & Wilde Expires February 23, 2025 [Page 11]
�
Internet-Draft The Deprecation HTTP Header Field August 2024
o Reference: https://github.com/paypal/api-standards/blob/master/
api-style-guide.md#runtime
Appendix B. Changes from Draft-04
This revision has made the following changes:
o Fixed references for structured fields, RFC9111 instead of RFC7234
o Security Considerations is Heading#1
o Removed redundant example
Appendix C. Acknowledgments
The authors would like to thank Nikhil Kolekar, Darrel Miller, Mark
Nottingham, and Roberto Polli for their contributions.
The authors take all responsibility for errors and omissions.
Authors' Addresses
Sanjay Dalal
Email: sanjay.dalal@cal.berkeley.edu
URI: https://github.com/sdatspun2
Erik Wilde
Email: erik.wilde@dret.net
URI: http://dret.net/netdret
Dalal & Wilde Expires February 23, 2025 [Page 12]