Allow users to plug in their own HTTP headers validator
See original GitHub issueWe’ve been looking into ways to ensure a better support to HTTP header names as defined in RFC7230, Section 3.2.6 in Finagle. Today’s header validation rules in Netty (as per DefaultHttpHeaders.java
) don’t prohibit ASCII delimiters (e.g., []
), and, unfortunately, there is no easy way to to configure it otherwise.
One way to do that would be make a DefaultHttpHeaders
constructor that also takes NameValidator
public. This should allow users to opt-in for RFC7230 headers in their application code. HTTP codecs (think inbound HTTP messages), however, will still be using a default validator. Perhaps, allowing users to configure a NameValidator
for HTTP codecs is a way to approach this.
I’m curious what do people think about this?
Issue Analytics
- State:
- Created 5 years ago
- Reactions:6
- Comments:17 (16 by maintainers)
Top Results From Across the Web
X-Frame-Options - HTTP - MDN Web Docs
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in...
Read more >Input Validation - OWASP Cheat Sheet Series
Allow list validation is appropriate for all input fields provided by the user. Allow list validation involves defining exactly what IS authorized, and...
Read more >Secure your web application with these HTTP headers
If you instead add the hsts=on parameter in your URL, the browser will forcefully convert the link in the redirect to its https://...
Read more >Custom request header insertions for non-blocking actions
RuleB with an Allow action and a customized header named RuleBHeader . If a request matches both RuleA and RuleB, AWS WAF inserts...
Read more >HTTP/1.1: Header Field Definitions
If an Accept-Encoding field is present in a request, and if the server cannot send a response which is acceptable according to the...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@normanmaurer Maybe we can include this ticket into the Netty 5 roadmap? We’ll have more room for maneuver there and, perhaps can actually support RFC7230 out of the box.
I like the strict mode idea. As long as users would be able to opt-in for “more valid” headers (either by writing their own validator or switching over to strict) I’m happy.