> > So a few questions: > > > > - Is it reasonable as a standalone additional HTTPProtocolOption to > > decide the behavior? > > - Thoughts on behavior change in 2.4.x? > > - 400 as a status code? > > > > https://httpwg.org/specs/rfc9112.html#rfc.section.6.1.p.15 > > > > A server MAY reject a request that contains both Content-Length and > > Transfer-Encoding or process such a request in accordance with the > > Transfer-Encoding alone. Regardless, the server MUST close the > > connection after responding to such a request to avoid the potential > > attacks. > > We currently ignore the content-length header, proceed and close the > connection > afterwards as suggested above. Do you suggest that we should reject such > requests > based on a configuration setting?
Yes, reject when both are set.
