Title: Allow multiple single-value headers in HTTP/2 with a new insecure parser option · Issue #59651 · nodejs/node · GitHub
Open Graph Title: Allow multiple single-value headers in HTTP/2 with a new insecure parser option · Issue #59651 · nodejs/node
X Title: Allow multiple single-value headers in HTTP/2 with a new insecure parser option · Issue #59651 · nodejs/node
Description: What is the problem this feature will solve? HTTP/2 includes restrictions that block any attempt to send multiple values of known single-values headers in requests or responses (here). This restriction doesn't exist in our HTTP/1 impleme...
Open Graph Description: What is the problem this feature will solve? HTTP/2 includes restrictions that block any attempt to send multiple values of known single-values headers in requests or responses (here). This restric...
X Description: What is the problem this feature will solve? HTTP/2 includes restrictions that block any attempt to send multiple values of known single-values headers in requests or responses (here). This restric...
Opengraph URL: https://github.com/nodejs/node/issues/59651
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Allow multiple single-value headers in HTTP/2 with a new insecure parser option","articleBody":"### What is the problem this feature will solve?\n\nHTTP/2 includes restrictions that block any attempt to send multiple values of known single-values headers in requests or responses ([here](https://github.com/nodejs/node/blob/83c955d8c26087ada9ab54bbd75c6497125d9812/lib/internal/http2/util.js#L785-L789)). \n\nThis restriction doesn't exist in our HTTP/1 implementation:\n\n```js\nconst http = require('http');\n\nhttp.createServer((req, res) =\u003e {\n res.writeHead(200, { date: ['a', 'b'] });\n res.end();\n}).listen(9000);\n```\n\nThis sends two `date` headers in the response with no problem at all.\n\nBlocking this is a reasonable default imo (normal applications shouldn't send multiple single-value headers) but is problematic as a hard restriction, because there do exist real clients and servers that do all sorts of technically-invalid-but-parseable things like this. Clients \u0026 servers in Node.js that need to integrate, proxy or emulate these behaviours run into problems when that's blocked (in my case: https://github.com/httptoolkit/httptoolkit/issues/785).\n\n### What is the feature you are proposing to solve the problem?\n\nI'd suggest we add an option to disable this restriction. Technically this appears very easy to do, the question is the API and whether we're happy to do it.\n\nWe do currently already have one insecure funky parsing option for HTTP/2 servers and clients: `strictFieldWhitespaceValidation`.\n\nWe could either add a new option like `strictSingleValueHeaderValidation` defaulting to true, or we could move towards a more general `insecureHTTPParser` option, just like HTTP/1 (potentially sharing the same --insecure-http-parser CLI option) to allow users to explicitly opt into all of those kinds of insecure settings at once (I think most users who want one kind of insecure validation are likely to want all of them - does that seem plausible?). That would allow users to indicate they want to be able to send \u0026 receive content without any validation that's not strictly required for parsing/generating output. In the latter case, I imagine we'd slowly deprecate `strictFieldWhitespaceValidation` and move towards a world where we maintain a single option.\n\n### What alternatives have you considered?\n\nCurrently there's no alternatives - it's impossible to send these requests or responses with Node unless you reimplement HTTP/2 from scratch.\n\nOpening this issue to collect opinions on the options and concept generally here, particularly from @jasnell, @apapirovski and @mildsunrise who've touched on this code in the past.","author":{"url":"https://github.com/pimterry","@type":"Person","name":"pimterry"},"datePublished":"2025-08-27T17:56:55.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/59651/node/issues/59651"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:bb3cc53c-086a-78d1-db0f-ca941c970937 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | D8CA:39FFB3:2295BD7:31E9CB2:6A4D10DB |
| html-safe-nonce | 1a0b82cb0991609227c0d890043027157cbdc0aeac529978f9d794c7f1b67251 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJEOENBOjM5RkZCMzoyMjk1QkQ3OjMxRTlDQjI6NkE0RDEwREIiLCJ2aXNpdG9yX2lkIjoiNTMwMjQ3ODc0NjA5OTE5MjAyNyIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | f2fe349e5403b9e4affd4c55ae9632ea38597ce3edd61b42023caf069f60eaa5 |
| hovercard-subject-tag | issue:3360332483 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/nodejs/node/59651/issue_layout |
| twitter:image | https://opengraph.githubassets.com/77268a874e72f230e1866d55ee1c3e5e7d1168d94cd9d2c7589f5612ec5e3e3c/nodejs/node/issues/59651 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/77268a874e72f230e1866d55ee1c3e5e7d1168d94cd9d2c7589f5612ec5e3e3c/nodejs/node/issues/59651 |
| og:image:alt | What is the problem this feature will solve? HTTP/2 includes restrictions that block any attempt to send multiple values of known single-values headers in requests or responses (here). This restric... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | pimterry |
| hostname | github.com |
| expected-hostname | github.com |
| None | f02420044fa3730a0607f4a52546bdd73f5ae60187ef57d284ecb6d7f3f1d880 |
| turbo-cache-control | no-preview |
| go-import | github.com/nodejs/node git https://github.com/nodejs/node.git |
| octolytics-dimension-user_id | 9950313 |
| octolytics-dimension-user_login | nodejs |
| octolytics-dimension-repository_id | 27193779 |
| octolytics-dimension-repository_nwo | nodejs/node |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 27193779 |
| octolytics-dimension-repository_network_root_nwo | nodejs/node |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | f0b6a62c1f0be1086cb0b5b077b82cebe520eb42 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width