On 22/07/2021 10.02, Ruediger Pluem wrote:
On 7/21/21 10:04 PM, Eric Covener wrote:
I was chasing an unrelated thread about close_notify alerts and
reminded me -- is it time to change the default for
HttpProtocolOptions from Allow0.9 to Require1.0?
As the manual says, the requirement was dropped in RFC 7230. It seems
like the kind of potential gadget in future desynch/smuggling kind of
attacks that shouldn't be on by default today.
+1 for Require1.0 on 2.4. Typically I would not agree because it can break
existing applications, but are there really setups out
there that work with HTTP 0.9? I don't believe so. Hence my +1.
In which case one can just manually switch back to Allow0.9, right? :)
+1 for Require1.0
Regards
RĂ¼diger
