I was chasing an unrelated thread about close_notify alerts and reminded me -- is it time to change the default for HttpProtocolOptions from Allow0.9 to Require1.0?
As the manual says, the requirement was dropped in RFC 7230. It seems like the kind of potential gadget in future desynch/smuggling kind of attacks that shouldn't be on by default today. Any opinions? -- Eric Covener cove...@gmail.com