# Address IPFS on the Web
This document is a guide to how to address IPFS content paths on the web.
# Dweb addressing in brief
- In IPFS, addresses (for content) are path-like; they are components separated by slashes.
- The first component is the protocol, which tells you how to interpret everything after it.
- Content referenced by a hash might have named links. (For example, a Git commit has a link named
parent, which is really just a pointer to the hash of another Git commit.) Everything after the CID in an IPFS address are those named links.
- Since these addresses aren’t URLs, using them in a web browser requires reformatting them slightly:
- Through an HTTP gateway, as
http://<gateway host>/<IPFS address>
- Through the gateway subdomain (more secure, harder to set up):
http://<cid>.ipfs.<gateway host>/<path>, so the protocol and CID are subdomains.
- Through custom URL protocols like
ipns://<peer ID>/<path>, and
- Through an HTTP gateway, as
# HTTP gateways
Gateways are provided strictly for convenience: in other words, they help tools that speak HTTP but do not speak distributed protocols such as IPFS. They are the first stage of the upgrade path for the web.
HTTP gateways have worked well since 2015, but they come with a significant set of limitations related both to the centralized nature of HTTP and some of HTTP's semantics. Location-based addressing of a gateway depends on both DNS and HTTPS/TLS, which relies on a trust in certificate authorities (opens new window) (CAs) and public key infrastructure (opens new window) (PKI). In the long term, these issues should be mitigated by use of opportunistic protocol upgrade schemes.
# Protocol upgrade
Tools and browser extensions should detect IPFS content paths and resolve them directly over IPFS protocol. They should use HTTP gateway only as a fallback when no native implementation is available in order to ensure a smooth, backward-compatible transition.
Use relative or absolute URLs that include content-addressed paths. This will take advantage of content addressing today while ensuring backward compatibility with the legacy web.
For example, a website can load static assets from content-addressed paths:
<link rel="stylesheet" href="https://example.com/ipfs/QmNrgEMcUygbKzZeZgYFosdd27VE9KnWbyUD73bKZJ3bGi?filename=style.css">
<link rel="stylesheet" href="/ipfs/QmNrgEMcUygbKzZeZgYFosdd27VE9KnWbyUD73bKZJ3bGi?filename=style.css">
Browsers that support IPFS will recognize the
/ipfs/<CID> content path and load the related asset over IPFS instead of HTTP.
User agents without IPFS support still get the correct data from the original HTTP server.
# Path gateway
In the most basic scheme, a URL path used for content addressing is effectively a resource name without a canonical location. The HTTP server provides the location part, which makes it possible for browsers to interpret an IPFS content path as relative to the current server and just work without a need for any conversion:
In this scheme, all pages share a single Origin , which means this type of gateway should be used only when site isolation does not matter (static content without cookies, local storage or Web APIs that require user permission).
When in doubt, use subdomain gateway instead (see below).
https://ipfs.io/ipfs/bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq/wiki/Vincent_van_Gogh.html https://ipfs.io/ipfs/QmT5NvUtoM5nWFfrQdVrFtvGfKFmG7AHE8P34isapyhCxX/wiki/Mars.html https://ipfs.io/ipns/tr.wikipedia-on-ipfs.org/wiki/Anasayfa.html
# Subdomain gateway
https://bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq.ipfs.dweb.link/wiki/ https://bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq.ipfs.cf-ipfs.com/wiki/Vincent_van_Gogh.html https://bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq.ipfs.localhost:8080/wiki/
# Native support in go-ipfs 0.5+
Learn more about daemon configuration for hosting a public gateway:
Gateway.PublicGatewaysdocs (opens new window) for defining gateway behavior on specified hostnames
Gatewayrecipes (opens new window) with ready to use one-liners for most common use cases
- Some browsers and other user agents force lowercase for the authority part of URLs, breaking case-sensitive CIDs before the HTTP gateway has a chance to read them
- DNS label length is limited to 63 characters (RFC 1034 (opens new window))
Due to these limitations, the use of short, case-insensitive CIDv1 in a subdomain context is advised.
Base32 is the safe default; the less-popular Base36 can be used for longer ED25519 libp2p keys.
See the next section to learn how to convert an existing CIDv0 to a DNS-safe representation.
# CID conversion for subdomains
If you have content identified by an older CIDv0, there are easy ways to safely represent it as CIDv1 for use in subdomains and other case-insensitive contexts.
# Automatic — leverage the gateway in go-ipfs
TL;DR: Using a subdomain gateway as a drop-in replacement for a path one removes the need for manual CID conversion.
Request for a content path sent to the gateway domain will return an HTTP 301 redirect to a correct subdomain version, taking care of any necessary encoding conversion if needed:
https://<gateway-host>.tld/ipfs/<cid> -> https://<cidv1>.ipfs.<gateway-host>.tld/
To illustrate, opening the CIDv0 resource at
https://dweb.link/ipfs/QmT5NvUtoM5nWFfrQdVrFtvGfKFmG7AHE8P34isapyhCxX/wiki/Mars.html (opens new window)
returns a redirect to a CIDv1 representation at
https://bafybeicgmdpvw4duutrmdxl4a7gc52sxyuk7nz5gby77afwdteh3jc5bqa.ipfs.dweb.link/wiki/Mars.html (opens new window).
The gateway takes care of converting the CID to case-insensitive encoding.
The multihash in CIDv1 is the same as in the original CIDv0.
# Manual — use cid.ipfs.io or the command line
$ ipfs cid base32 QmbWqxBEKC3P8tqsKc98xmWNzrzDtRLMiMPL8wBuTGsMnR bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi
PeerIDs can be represented as CID with
libp2p-key multicodec (opens new window).
Base36 is suggested as a safer default for longer keys:
$ ipfs key list -l --ipns-base base36 k51qzi5uqu5dh9ihj4p2v5sl3hxvv27ryx2w0xrsv6jmmqi91t9xp8p9kaipc2 self $ ipfs cid format -v 1 -b base36 --codec libp2p-key QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN k2k4r8jl0yz8qjgqbmc2cdu5hkqek5rj6flgnlkyywynci20j0iuyfuj
# DNSLink gateway
The gateway provided by the IPFS daemon understands the
Host header present in HTTP requests, and will check if DNSLink exists for a specified domain name (opens new window).
If DNSLink is present, the gateway will return content from a path resolved via DNS TXT record.
This type of gateway provides full origin isolation (opens new window).
Example: https://docs.ipfs.io (opens new window) (this website)
For a more complete DNSLink guide, including tutorials, usage examples and FAQs, check out dnslink.io (opens new window).
# Native URLs
Subdomain convention can be replaced with a native handler. The IPFS URL protocol scheme follows the same requirement of case-insensitive CIDv1 in Base32 as subdomains:
An IPFS URL does not retain the original path, but instead requires a conversion step to/from URI representation:
The first element after the double slash is an opaque identifier representing the content root. It is interpreted as an authority component used for origin calculation, which provides necessary isolation between security contexts of different content trees.
Native URI require CID to be case-insensitive. Use of CIDv1 in Base32 is advised.
# Further resources
# Technical specification for implementers
The best and most up-to-date source of truth about IPFS addressing can be found in the IPFS in-web-browsers repo (opens new window).
# Background on address scheme discussions
Discussions around IPFS addressing have been going on since @jbenet published the IPFS whitepaper (opens new window), with a number of other approaches being proposed. This long-standing design discussion includes many lengthy GitHub issue threads, but a good summary can be found in this PR (opens new window).
# IPFS Companion
IPFS Companion (opens new window) is a browser extension that simplifies access to IPFS resources.
It provides support for native URLs and will automatically redirect IPFS gateway requests to your local daemon so that you are not relying on, or trusting, remote gateways.
# Shared dweb namespace
This concept isn't yet built, but may be explored and experimented with in the future. The distributed web community is exploring the idea of a shared
dweb namespace to remove the complexity of addressing IPFS and other content-addressed protocols. Currently investigated approaches include: