# CoAP **slug:** `coap` · **URL:** `/knowledge/glossary/coap/` · **category:** IoT Protocols · **reviewer:** Tatiana ### Definition CoAP (Constrained Application Protocol) is a specialized web transfer protocol designed for constrained nodes and constrained networks in the Internet of Things. Standardized as RFC 7252 with extensions, it provides a UDP-based REST-equivalent API for IoT devices that cannot support HTTP. ### What it means CoAP follows REST semantics (GET, POST, PUT, DELETE on URI-identified resources) but uses UDP as the transport, with optional message reliability through Confirmable / Non-confirmable message types. It is the protocol behind several IoT device-management standards including [LWM2M](/knowledge/glossary/lwm2m/). Security in CoAP is provided by DTLS (Datagram TLS) — the UDP-compatible variant of TLS. The combination of UDP + DTLS introduces specific attack-surface considerations: amplification attacks (CoAP responses can be larger than requests), reflection attacks if proxying is misconfigured, and session-management weaknesses in DTLS handshake state machines. For offensive-security assessment, CoAP testing covers: resource enumeration, DTLS handshake fuzzing, request-method enumeration on each resource, observability of device internal state through CoAP-exposed resources, and amplification-attack-surface analysis. ### Related terms - [MQTT](/knowledge/glossary/mqtt/) - [LWM2M](/knowledge/glossary/lwm2m/) ### Authoritative sources - [RFC 7252 (CoAP base specification)](https://datatracker.ietf.org/doc/html/rfc7252) - [RFC 9147 (DTLS 1.3)](https://datatracker.ietf.org/doc/html/rfc9147) ---