On 7/21/21 10:04 PM, Eric Covener wrote:
> I was chasing an unrelated thread about close_notify alerts and
> reminded me -- is it time to change the default for
> HttpProtocolOptions from Allow0.9 to Require1.0?
>
> As the manual says, the requirement was dropped in RFC 7230. It seems
> like the kind of potential gadget in future desynch/smuggling kind of
> attacks that shouldn't be on by default today.
+1 for Require1.0 on 2.4. Typically I would not agree because it can break
existing applications, but are there really setups out
there that work with HTTP 0.9? I don't believe so. Hence my +1.
Regards
RĂ¼diger
