* Prevent request smuggling
Prevent request smuggling when fasthttp is behind a reverse proxy that
might interprets headers differently by being stricter. Should also
prevent request smuggling when fasthttp is used as the reverse proxy.
* Make header value comparison case-insensitive
* Auto add 'Vary' header after compression
Add config `SetAddVaryHeaderForCompression` to enable
'Vary: Accept-Encoding' header when compression is used.
* feat: always set the Vary header
* create and use `ResponseHeader.AddVaryBytes`
* not export 'AddVaryBytes'
* Response.ContentEncoding(): store as field
The CE is not so often used for plain APIs responses and even not so often used for static files and on the fly compression.
But still it should be checked each time.
Also having a dedicated field getter and setter simplifies code
* header.go Use shorter Response.setNonSpecial() and Request.setNonSpecial() methods instead of SetCanonical()
The change should improve performance because the setSpecialHeader() call is omitted.
As a downside on adding a new basic header field all putHeader() must be replaced with a direct getter and setter.
* Adding zero-allocation uint64 to byte slice conversion and fixing the ResponseHeader.SetStatusLine function call signature
* Removing unnecessary i2b function
* Fixing various bugs
* Adding test cases
* Commenting AppendStatusLine
* Update status.go
Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>
* Update header.go
Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>
* Cleaning up references to strHTTP11, using formatStatusLine for invalidStatusLine, and making `appendStatusLine` an unexported function
Issue: https://github.com/valyala/fasthttp/issues/1132
* Fixing merge conflicts
Issue: https://github.com/valyala/fasthttp/issues/1132
* Replacing []byte{} with nil in some test cases
Issue: https://github.com/valyala/fasthttp/issues/1132
* Cleaning up parsing first line, and improving StatusMessage function
Issue: https://github.com/valyala/fasthttp/issues/1132
* Fixing as per PR
* Update header.go
Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>
* Update header.go
Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>
* Fixing as per requested changes
* Update header_test.go
Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>
Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>
* Add api DisableNoDefaultContentType to disable add default contentype if no Content-Type header.
* Update test case.
* Update api name.
* Update header.go
Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>
Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>
This means we can't skip parsing headers for GET requests anymore. This
can be seen as good as it also allows us to reject malformed GET
requests, something we didn't do before this. Performance also isn't
affect much:
benchmark old ns/op new ns/op delta
BenchmarkClientGetEndToEnd1Inmemory-16 640 641 +0.16%
BenchmarkClientGetEndToEnd10Inmemory-16 713 710 -0.42%
BenchmarkClientGetEndToEnd100Inmemory-16 732 749 +2.32%
BenchmarkClientGetEndToEnd1000Inmemory-16 759 774 +1.98%
BenchmarkClientGetEndToEnd10KInmemory-16 785 808 +2.93%
BenchmarkNetHTTPClientGetEndToEnd1Inmemory-16 5045 4954 -1.80%
BenchmarkNetHTTPClientGetEndToEnd10Inmemory-16 5806 6225 +7.22%
BenchmarkNetHTTPClientGetEndToEnd100Inmemory-16 7877 7998 +1.54%
BenchmarkNetHTTPClientGetEndToEnd1000Inmemory-16 16603 16559 -0.27%
See: https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8
Reject any non GET or HEAD requests with a 400.
We can't reject GET or HEAD requests with bad headers as we delay
parsing of these headers until the user asks for one. So in this case we
just ignore the header and don't return a value for it.
Erik Dubbelboer
Oleksandr Redko
nickajacks1
AutumnSun
Anthony Ter-Saakov
kinggo
Oleksandr Redko
byene0923
Sergey Ponomarev
Jack.Ju
ichx
Shivansh Vij
Valentin Paz Marcolla
Kazumasa Takenaka (Bamboo)
MoreFreeze
Daniel Firsht
AlphaBaby
sky
phuslu
tedli
ZhangYunHao
Ciprian Dorin Craciun
Maxim Lebedev
Maxim Lebedev
xuecai