On 7/21/21 10:04 PM, Eric Covener wrote: > I was chasing an unrelated thread about close_notify alerts and > reminded me -- is it time to change the default for > HttpProtocolOptions from Allow0.9 to Require1.0? > > As the manual says, the requirement was dropped in RFC 7230. It seems > like the kind of potential gadget in future desynch/smuggling kind of > attacks that shouldn't be on by default today. > +1, httpd 0.9 is old enough and it's time to deprecate it.
Giovanni
OpenPGP_signature
Description: OpenPGP digital signature