Curve server accepts messages that it shouldn't

[toserk]

Environment

NetMQ Version: 4.0.1.10   
Operating System: Windows 10
.NET Version: 6.0

Expected behaviour

Socket does accept messages from netmq clients with valid public cert. Socket does not accept messages from netmq clients with invalid public cert. Socket does not accept messages from random not-netmq clients.

Actual behaviour

Socket does accept messages from netmq clients with valid public cert. Socket does not accept messages from netmq clients with invalid public cert. Socket does accept messages from random not-netmq clients (web browsers for example).

Steps to reproduce the behaviour

Emulating web browser with HttpClient

var serverCert = new NetMQCertificate();
using var server = new RouterSocket();
server.Options.CurveServer = true;
server.Options.CurveCertificate = serverCert;
var port = server.BindRandomPort("tcp://localhost");

using var client = new HttpClient();
using var request = new HttpRequestMessage(HttpMethod.Get, $"http://localhost:{port}");
request.Headers.TryAddWithoutValidation("Accept", "text/html,application/xhtml+xml,application/xml");
request.Headers.TryAddWithoutValidation("Accept-Encoding", "gzip, deflate");
request.Headers.TryAddWithoutValidation("User-Agent", "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0");
request.Headers.TryAddWithoutValidation("Accept-Charset", "ISO-8859-1");
_ = client.SendAsync(request);

var s = server.ReceiveFrameString();
Console.WriteLine(s);

[chylex]

Confirmed this is happening in the latest version (4.0.1.13). Is this a problem with ZeroMQ itself, or just NetMQ? This seems like a huge oversight.