> On Jul 22, 2021, at 12:29 AM, Stefan Eissing <stefan.eiss...@greenbytes.de> 
> wrote:
>> Am 21.07.2021 um 22:04 schrieb Eric Covener <cove...@gmail.com>:
>> I was chasing an unrelated thread about close_notify alerts and
>> reminded me -- is it time to change the default for
>> HttpProtocolOptions from Allow0.9 to Require1.0?
>> As the manual says, the requirement was dropped in RFC 7230. It seems
>> like the kind of potential gadget in future desynch/smuggling kind of
>> attacks that shouldn't be on by default today.
>> Any opinions?
> +1
> I think the internet is a different place now from when 2.4 came out.

Yep, we have long past the point where the Internet depends on header fields
like Host being present to avoid various attacks. +1


Reply via email to