Description
Problem
HTTP Desync attacks are pretty bad and there are a lot of bad/permissive http implementations out there that act as proxies.
I didn't see any discussion / tests of hyper surrounding that so I wanted to start the discussion around the topic given that hyper is now 1.0 (and used in production in a lot of places).
Ideas
- A suite of tests to demonstrate that an hyper server reacts as best it can (given it doesn't control the proxy)
- Creating a flag for hardened/more strict version of hyper (server mostly)
For the second point, I would take a lot of work that has been done by AWS already in https://github.com/aws/http-desync-guardian and try to incorporate it in hyper where it makes sense. This includes going more strict than the spec to avoid confusions.
Things like ignoring a CL when a TE is present is risky (even if the spec says that it must be ignored) since a proxy might very well not ignore the CL. So even if hyper is "correct", that won't prevent a leak. Under an hypothetical strict flag, this would result in the request being rejected.
Lines 251 to 253 in 210bfaa
Additional context