SHTTP is a transaction security protocol designed explicitly to protect HTTP transactions. It operates as part of a secured application and encapsulates (possibly recursively) the application data (i.e. the HTTP transaction) and applies security services. SHTTP does not rely on an explicit security association but applies services atomically to each transaction. Architecturally, SHTTP may be compared to secure messaging protocols and, in fact, supports the use of such formats to provide the secure encapsulation. SHTTP includes a description of the means whereby a party determines what services and formats to apply to a transaction. SHTTP is designed to support the orthogonal application of security services (i.e. there are no mandatory services and any combination is allowed).