Skip to content

Commit

Permalink
http: updated docs
Browse files Browse the repository at this point in the history
  • Loading branch information
ShogunPanda committed Aug 3, 2023
1 parent e22f831 commit 862ba07
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 10 deletions.
20 changes: 16 additions & 4 deletions doc/api/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -957,10 +957,22 @@ added:
- v10.19.0
-->

Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow
interoperability with non-conformant HTTP implementations. It may also allow
request smuggling and other HTTP attacks that rely on invalid headers being
accepted. Avoid using this option.
Enable leniency flags on the HTTP parser. This may allow
interoperability with non-conformant HTTP implementations.

When enabled, the parser will accept the following:

* Invalid HTTP headers values.
* Invalid HTTP versions.
* Allow message containing both `Transfer-Encoding`
and `Content-Length` headers.
* Allow extra data after message when `Connection: close` is present.
* Allow extra trasfer encodings after `chunked` has been provided.
* Allow `\n` to be used as token separator instead of `\r\n`.
* Allow `\r\n` not to be provided after a chunk.

All the above will expose your application to request smuggling
or poisoning attack. Avoid using this option.

### `--jitless`

Expand Down
12 changes: 6 additions & 6 deletions doc/api/http.md
Original file line number Diff line number Diff line change
Expand Up @@ -3250,9 +3250,9 @@ changes:
`readableHighWaterMark` and `writableHighWaterMark`. This affects
`highWaterMark` property of both `IncomingMessage` and `ServerResponse`.
**Default:** See [`stream.getDefaultHighWaterMark()`][].
* `insecureHTTPParser` {boolean} Use an insecure HTTP parser that accepts
invalid HTTP headers when `true`. Using the insecure parser should be
avoided. See [`--insecure-http-parser`][] for more information.
* `insecureHTTPParser` {boolean} If set to `true`, it will use a HTTP parser
with leniency flags enabled. Using the insecure parser should be avoided.
See [`--insecure-http-parser`][] for more information.
**Default:** `false`.
* `IncomingMessage` {http.IncomingMessage} Specifies the `IncomingMessage`
class to be used. Useful for extending the original `IncomingMessage`.
Expand Down Expand Up @@ -3512,9 +3512,9 @@ changes:
request to. **Default:** `'localhost'`.
* `hostname` {string} Alias for `host`. To support [`url.parse()`][],
`hostname` will be used if both `host` and `hostname` are specified.
* `insecureHTTPParser` {boolean} Use an insecure HTTP parser that accepts
invalid HTTP headers when `true`. Using the insecure parser should be
avoided. See [`--insecure-http-parser`][] for more information.
* `insecureHTTPParser` {boolean} If set to `true`, it will use a HTTP parser
with leniency flags enabled. Using the insecure parser should be avoided.
See [`--insecure-http-parser`][] for more information.
**Default:** `false`
* `joinDuplicateHeaders` {boolean} It joins the field line values of
multiple headers in a request with `, ` instead of discarding
Expand Down

0 comments on commit 862ba07

Please sign in to comment.