[squid-users] What about http 1 must die?
Amos Jeffries
squid3 at treenet.co.nz
Sun Aug 31 17:15:58 UTC 2025
On 31/08/25 07:49, NgTech LTD wrote:
> Hey,
>
> I have seen this research:
>
> https://portswigger.net/research/http1-must-die <https://
> portswigger.net/research/http1-must-die>
>
I'm not sure I would call that research exactly. It is pretty much an
enumeration of theoretical flaws in HTTP/1 which **might** occur
assuming one of the HTTP agents is designed badly.
I notice that proper implementation of HTTP security requirements closes
off a number of issues listed there.
For example; all mentioned issues with "obs-fold" (obsolete HTTP/1.0
whitespace folding) in Content-Length headers are not a problem when one
obeys the RFC7230 / RFC9112 requirement to either; replace obs-fold with
a single SP **before** processing the headers, OR to respond with a
connection error (404 status response and TCP RST) whenever it is
received on HTTP/1.1 messages.
> And was wondering how squid is handling such cases.
>
AFAICS, Squid has been around and been updated with workarounds and
fixes for all of these cases (and many more pre-RFC9112 issues) as they
were discovered.
Today Squid has a rather strict parsing of input, with our "lenient"
mode only tolerating the broken inputs when they are able to be fixed
without causing more issues and essentially no behavior change.
Not sure I would go as far as the "must die" argument quite yet. The
HTTP/1 syntax still has a place as Human-readable display for any HTTP
version. But yes, that time to stop sending it in communications is fast
approaching. HTTP/2 had its 10 year birthday earlier this year!
HTH
Amos
More information about the squid-users
mailing list