Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rack 3.0 HTTP/2 headers format #4000

Open
Strech opened this issue Oct 15, 2024 · 0 comments
Open

Rack 3.0 HTTP/2 headers format #4000

Strech opened this issue Oct 15, 2024 · 0 comments
Labels
appsec Application Security monitoring product question General inquiry that may or may not involve changes

Comments

@Strech
Copy link
Member

Strech commented Oct 15, 2024

Starting Rack 3.0 it's enforced at least in development mode to conform with HTTP/2 specification. It's touching in many aspects of the response and especially on header keys format.

It's recommended/enforced to have lower-case header keys in response. Technically, HTTP spec defines header keys as case-insensitive

Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive.
https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2

At the same time it's a potentially-dangerous move:

I think requiring lower case headers has the potential to break lots of rack applications, frameworks, and middleware. However, it would also simplify a lot of code in the long run. Since HTTP/2 requires it and HTTP/1 works fine with it, it seems a reasonable change for SPEC. I definitely prefer this approach over requiring that response headers be case insensitive.
(by jeremyevans)

But I think we should keep an 👀 on that progress.

Note

In AppSec we return 403 response if InApp-WAF rule triggered and blocked the request. We have camel-case headers set in response object.


Thanks @y9v for investigation support

@Strech Strech added appsec Application Security monitoring product question General inquiry that may or may not involve changes labels Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
appsec Application Security monitoring product question General inquiry that may or may not involve changes
Projects
None yet
Development

No branches or pull requests

1 participant