> nginx is about as popular as GWS, same reasoning might be considered. What I'm saying is exceptional about GWS is not its popularity. Of course, Nginx (and Apache) are similarly popular. I'm arguing that because GWS is by design a single-purpose web server that serves the interest of a single company, it is expected that it implements unorthodox decisions that benefit that company.
Nginx is general-purpose software. It is therefore reasonable to expect that it would support a configuration that behaves in the way most users expect a web server to behave (i.e., reject invalid incoming messages). > btw, do you suggest to > 1) introduce new behaviour by some setting (default is unchanged) > 2) change default behaviour Changing defaults is messy for programs as relied-upon as Nginx. I offer no suggestions about how default behaviors should change. > and I'm quite curious why do you want to change current behaviour HTTP request smuggling attacks rely on inconsistent parsing behaviors across web servers. These same behaviors also form the basis for HTTP server fingerprinting techniques. It is not always obvious at first glance whether a discrepancy is useful for these purposes. For this reason, I am generally in favor of offering users the opportunity to opt out of behaviors that are not recommended by the RFCs. -Ben _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel