On Thu, Jul 22, 2021 at 10:02 AM Ruediger Pluem <rpl...@apache.org> wrote: > > On 7/21/21 10:04 PM, Eric Covener wrote: > > I was chasing an unrelated thread about close_notify alerts and > > reminded me -- is it time to change the default for > > HttpProtocolOptions from Allow0.9 to Require1.0? > > > > As the manual says, the requirement was dropped in RFC 7230. It seems > > like the kind of potential gadget in future desynch/smuggling kind of > > attacks that shouldn't be on by default today. > > +1 for Require1.0 on 2.4. Typically I would not agree because it can break > existing applications, but are there really setups out > there that work with HTTP 0.9? I don't believe so. Hence my +1.
Same, +1. Cheers; Yann.