> Am 21.07.2021 um 22:04 schrieb Eric Covener <cove...@gmail.com>:
>
> I was chasing an unrelated thread about close_notify alerts and
> reminded me -- is it time to change the default for
> HttpProtocolOptions from Allow0.9 to Require1.0?
>
> As the manual says, the requirement was dropped in RFC 7230. It seems
> like the kind of potential gadget in future desynch/smuggling kind of
> attacks that shouldn't be on by default today.
>
> Any opinions?
+1
I think the internet is a different place now from when 2.4 came out.
- Stefan
