The Quiet Obsolescence of HTTP/1.X: A Practical Defense Against the Web's Persistent Underbelly

When Mark McBride enabled HTTP/3 for his personal website in January 2026, the expected performance gains were secondary to a more startling discovery. Reviewing his nginx access logs, he found that despite the widespread adoption of HTTP/2 and the emerging HTTP/3 standard, over 80% of requests to his site were still using the decades-old HTTP/1.0 or HTTP/1.1 protocols. More concerning was the quality of that traffic: nearly every HTTP/1.X request was a probe, a scraper, or an exploit attempt. The modern web, it seemed, had moved on, leaving a persistent, noisy layer of legacy traffic behind.

This observation led to a deliberate, surgical intervention. McBride decided to effectively disable HTTP/1.X access to his site, not by blocking the protocols entirely, but by implementing a conditional response that forces clients to upgrade. The technical implementation is straightforward yet elegant, leveraging nginx's map directive to create global variables that classify incoming requests. The core logic hinges on two questions: Is this request using HTTP/1.X? And is the client a known, legitimate agent?

Two primary strategies emerged from this approach. The first, a "whitelist" method, allows only explicitly identified good agents—text browsers like w3m or lynx, and major search engine bots like Googlebot or Bingbot—to use HTTP/1.X. The second, a "blacklist" method, which McBride ultimately preferred, blocks agents that exhibit questionable behavior when combined with HTTP/1.X. This includes requests with blank user agents, or those masquerading as modern desktop browsers (like Mozilla/5.0) while still using an outdated protocol. The configuration is a series of nginx map blocks that set variables like $is_http1 and $is_questionable_agent, culminating in a conditional check that returns a 426 Upgrade Required status code for blocked requests.