Closed doridoridoriand closed 7 months ago
soveran
commented
7 months ago Hello @doridoridoriand,
It sounds great! Thank you so much for taking the time to report this issue. I think we should do it. Do you want to send me a pull request? Otherwise I can change it myself, so whatever works best for you.
Thanks!
doridoridoriand
commented
7 months ago Hi @soveran Thank you very much for the swift reply 😄 I have created pull request #108 to correct this issue. Please review this.
Regards,
soveran
commented
7 months ago @doridoridoriand Released as version 4.0.3. Thanks again!
Hi!
Currently, the HTTP/2 protocol specification defines secure headers, which are security-related headers, in uppercase, which is not consistent with the specification since HTTP/2 normally treats headers in lowercase. Also, since secure headers are currently defined in uppercase, some Ruby application servers, such as Rack, treat this as a lint error or validation error, which prevents the web application from starting properly. I would like to propose that secure headers be redefined in lowercase to match the HTTP/2 specification. I believe this will improve consistency in the context of the HTTP/2 protocol and avoid compatibility and application server launch issues.
Currently, the following workaround is available, but I believe that redefining it in lowercase would be a more desirable form.
Specific changes: I would like to make a correction to redefine the following in lower case. https://github.com/doridoridoriand/cuba/blob/change-secure-headers-to-lowercase/lib/cuba/safe/secure_headers.rb#L29-L36
References: https://github.com/rack/rack/blob/main/lib/rack/lint.rb#L655-L656 https://datatracker.ietf.org/doc/html/rfc9113#name-http-fields
Regards,