Saw the above and thought it was interesting; flaws in HTTP2 enabling these attack vectors. It made me wonder if Caddy has any protections against this sort of thing?
Looks like golang released 1.21.3 which includes this fix, at least for net/http.
We’ll cut a release shortly with the fix.
Thanks for the hard work all, it’s appreciated.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.