hojongs commented on PR #579: URL: https://github.com/apache/tomcat/pull/579#issuecomment-1413855117
@markt-asf I get what you mean. But some people (including me) usually use the status codes with additional cases. For example, the status code 400 doesn't occur only in the badly formatted request. When requests are formatted well but the request value is incorrect, I use the status code 400 to respond to the request. (because I think the status code 400 is the most suitable in this case) and another use case: Sometimes our service can respond to clients with status code 500 during connections because of some reasons. In these cases, I don't want decreased performance by dropping connections due to responses of the status code 500 even though I need to endure the security concerns you mentioned. So I want this option to choose control over the default behavior. I think it'll be fine if users can have the opportunity to choose the behavior while the default behavior is dropping connection for the security concern you mentioned. It'll be safer for servers to drop connections as the default behavior. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org