Open
Description
As was pointed out on Reddit during our 2.3.0 security release, prior art exists on guarding against desync (request smuggling) attacks. http-desync-guardian is a library which may be able to assist us in catching desync attacks. At the least it's worth looking at, and if we thing the techniques it uses are worthwhile, then integrate either directly, or port to a shape that works for us.