On Mon, Nov 5, 2012 at 12:11 PM, Branko Čibej <br...@wandisco.com> wrote: > On 05.11.2012 00:21, Thomas Åkesson wrote: >> I did some tests with curl --head just as a sanity check. It seems to be a >> good choice for access control. I primarily wanted to see that HEAD requests >> were not allowed in situations where GET is not (e.g. when user has access >> in directories below). >> >> The HEAD requests I performed (minimal curl command) did not cause the >> server to provide Content-Length when returning "200 OK". > > Which is precisely what I was talking about in my other post. Such HEAD > responses are invalid. If we implement HEAD, we have to do it correctly. > I believe we use chunked responses and I assume they do not require Content-Length header.
-- Ivan Zhakov
