I agree with this as well, I haven't had to use 0.9 in over a decade. +1
On Thu, 22 Jul 2021 at 12:03, Roy T. Fielding <field...@gbiv.com> wrote: > > On Jul 22, 2021, at 12:29 AM, Stefan Eissing < > stefan.eiss...@greenbytes.de> wrote: > >> Am 21.07.2021 um 22:04 schrieb Eric Covener <cove...@gmail.com>: > >> > >> I was chasing an unrelated thread about close_notify alerts and > >> reminded me -- is it time to change the default for > >> HttpProtocolOptions from Allow0.9 to Require1.0? > >> > >> As the manual says, the requirement was dropped in RFC 7230. It seems > >> like the kind of potential gadget in future desynch/smuggling kind of > >> attacks that shouldn't be on by default today. > >> > >> Any opinions? > > > > +1 > > > > I think the internet is a different place now from when 2.4 came out. > > Yep, we have long past the point where the Internet depends on header > fields > like Host being present to avoid various attacks. +1 > > ....Roy > >
