Skip to content

Commit 70d2bc7

Browse files
ShogunPandaShogunPanda
committed
http: updated docs
1 parent 1872bb6 commit 70d2bc7

File tree

2 files changed

+22
-10
lines changed

2 files changed

+22
-10
lines changed

doc/api/cli.md

+16-4
Original file line numberDiff line numberDiff line change
@@ -980,10 +980,22 @@ added:
980980
- v10.19.0
981981
-->
982982

983-
Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow
984-
interoperability with non-conformant HTTP implementations. It may also allow
985-
request smuggling and other HTTP attacks that rely on invalid headers being
986-
accepted. Avoid using this option.
983+
Enable leniency flags on the HTTP parser. This may allow
984+
interoperability with non-conformant HTTP implementations.
985+
986+
When enabled, the parser will accept the following:
987+
988+
* Invalid HTTP headers values.
989+
* Invalid HTTP versions.
990+
* Allow message containing both `Transfer-Encoding`
991+
and `Content-Length` headers.
992+
* Allow extra data after message when `Connection: close` is present.
993+
* Allow extra trasfer encodings after `chunked` has been provided.
994+
* Allow `\n` to be used as token separator instead of `\r\n`.
995+
* Allow `\r\n` not to be provided after a chunk.
996+
997+
All the above will expose your application to request smuggling
998+
or poisoning attack. Avoid using this option.
987999

9881000
### `--jitless`
9891001

doc/api/http.md

+6-6
Original file line numberDiff line numberDiff line change
@@ -3449,9 +3449,9 @@ changes:
34493449
`readableHighWaterMark` and `writableHighWaterMark`. This affects
34503450
`highWaterMark` property of both `IncomingMessage` and `ServerResponse`.
34513451
**Default:** See [`stream.getDefaultHighWaterMark()`][].
3452-
* `insecureHTTPParser` {boolean} Use an insecure HTTP parser that accepts
3453-
invalid HTTP headers when `true`. Using the insecure parser should be
3454-
avoided. See [`--insecure-http-parser`][] for more information.
3452+
* `insecureHTTPParser` {boolean} If set to `true`, it will use a HTTP parser
3453+
with leniency flags enabled. Using the insecure parser should be avoided.
3454+
See [`--insecure-http-parser`][] for more information.
34553455
**Default:** `false`.
34563456
* `IncomingMessage` {http.IncomingMessage} Specifies the `IncomingMessage`
34573457
class to be used. Useful for extending the original `IncomingMessage`.
@@ -3742,9 +3742,9 @@ changes:
37423742
request to. **Default:** `'localhost'`.
37433743
* `hostname` {string} Alias for `host`. To support [`url.parse()`][],
37443744
`hostname` will be used if both `host` and `hostname` are specified.
3745-
* `insecureHTTPParser` {boolean} Use an insecure HTTP parser that accepts
3746-
invalid HTTP headers when `true`. Using the insecure parser should be
3747-
avoided. See [`--insecure-http-parser`][] for more information.
3745+
* `insecureHTTPParser` {boolean} If set to `true`, it will use a HTTP parser
3746+
with leniency flags enabled. Using the insecure parser should be avoided.
3747+
See [`--insecure-http-parser`][] for more information.
37483748
**Default:** `false`
37493749
* `joinDuplicateHeaders` {boolean} It joins the field line values of
37503750
multiple headers in a request with `, ` instead of discarding

0 commit comments

Comments
 (0)