Adaptive compression of attacker+secret data leaks secrets via length (CRIME); HPACK indexing/static-Huffman resists this.
What frame announces a server push and what ID does it reserve?
PUSH_PROMISE; it reserves an even Stream ID for the pushed response.
HPACK encode index 1337 in a 5-bit prefix.
Prefix=31, then 1337−31=1306 → bytes 31,154,10.
Why was server push deprecated in browsers?
Often pushed already-cached resources and competed for the congestion window; replaced by 103 Early Hints + preload.
Default max frame payload size and why limited?
16384 bytes (214); prevents one frame monopolizing the shared connection.
Recall Explain to a 12-year-old (Feynman)
Old internet: you mail one letter, wait for the reply, then mail the next — slow, and you waste the
envelope's whole address block every time. HTTP/2 is like cutting every letter into small numbered
cards and tossing them all down one tube at once; the other side sorts by number. It also keeps a
shortcut list so repeated info ("from: you") becomes just "#5". And a smart helper can send you the
homework pages it knows you'll need next, before you even ask. The only snag: if one card gets lost
in the tube, everything waits for it to be resent — HTTP/3 builds separate tubes to fix that.
Dekho, HTTP/1.1 ka problem yeh tha ki ek TCP connection pe ek time pe ek hi request-response chal
sakti thi. Agar pehli file slow hai to baaki sab line mein khade intezaar karte the — isko
head-of-line blocking kehte hain. Isliye browser 6 connections kholta tha, jo waste tha. HTTP/2
ne sab kuch binary frames mein convert kar diya: har request-response ko chote chote frames mein
toda, har frame pe ek Stream ID ka label lagaya, aur ek hi connection pe sab streams ko
interleave kar diya. Receiver label dekh ke reassemble kar leta hai. Isko multiplexing bolte hain.
HPACK header compression hai. Har request mein cookie, user-agent same repeat hoti hain, to inko
baar baar bhejna fizool hai. HPACK ek static table (61 common headers fixed), ek dynamic table
(connection ke dauran jo dikha use yaad rakho), aur Huffman coding use karta hai. Dusri baar wahi
header bas ek index byte ban jati hai — 200 byte cookie, 1 byte mein. Important baat: normal gzip
use nahi kiya kyunki usse CRIME attack se secret cookie leak ho jaata hai; HPACK design hi safe hai.
Server push mein server bina mange aapko resource bhej deta hai — jaise index.html maanga to
style.css aur app.js pehle hi PUSH_PROMISE frame ke through bhej deta hai, taaki cache mein ready ho.
Lekin yeh ulta nuksaan bhi kar sakta hai (already-cached cheez push karna, bandwidth waste), isliye
browsers ne ise hata diya aur ab 103 Early Hints + preload use hota hai.
Ek catch yaad rakhna: HTTP/2 application-layer HOL blocking hatata hai, par TCP-layer HOL abhi bhi
hai — ek packet lost hua to saare streams ruk jaate hain. Isi liye HTTP/3 (QUIC, UDP pe) aaya jahan har
stream ki apni ordering hai. Yeh exam aur interview dono mein favourite question hai.