> On Sep 26, 2022, at 5:29 AM, ic...@apache.org wrote: > > Author: icing > Date: Mon Sep 26 12:29:47 2022 > New Revision: 1904269 > > URL: http://svn.apache.org/viewvc?rev=1904269&view=rev > Log: > *) mod_http2: new directive "H2HeaderStrictness" to control the compliance > level of header checks as defined in the HTTP/2 RFCs. Default is 7540. > 9113 activates the checks for forbidden leading/trailing whitespace in > field values (available from nghttp2 v1.50.0 on).
I am not seeing why that should be optional. It adds overhead, but it reduces variability (for HPACK) and might prevent some downstream vulnerabilities, IIRC. Maybe an internal switch for testing with default on? ....Roy
