I know for a fact that this will bring me some headaches at work with a few F5 "ping" checks, but still, to heck with it!
+1 El jue, 22 jul 2021 a las 12:39, Daniel Gruno (<humbed...@apache.org>) escribió: > > On 22/07/2021 10.02, Ruediger Pluem wrote: > > > > > > On 7/21/21 10:04 PM, Eric Covener wrote: > >> I was chasing an unrelated thread about close_notify alerts and > >> reminded me -- is it time to change the default for > >> HttpProtocolOptions from Allow0.9 to Require1.0? > >> > >> As the manual says, the requirement was dropped in RFC 7230. It seems > >> like the kind of potential gadget in future desynch/smuggling kind of > >> attacks that shouldn't be on by default today. > > > > +1 for Require1.0 on 2.4. Typically I would not agree because it can break > > existing applications, but are there really setups out > > there that work with HTTP 0.9? I don't believe so. Hence my +1. > > In which case one can just manually switch back to Allow0.9, right? :) > > +1 for Require1.0 > > > > > Regards > > > > Rüdiger > > > -- Daniel Ferradal HTTPD Project #httpd help at Libera.Chat
