René's URL Explorer Experiment


Title: Allow multiple single-value headers in HTTP/2 with a new insecure parser option · Issue #59651 · nodejs/node · GitHub

Open Graph Title: Allow multiple single-value headers in HTTP/2 with a new insecure parser option · Issue #59651 · nodejs/node

X Title: Allow multiple single-value headers in HTTP/2 with a new insecure parser option · Issue #59651 · nodejs/node

Description: What is the problem this feature will solve? HTTP/2 includes restrictions that block any attempt to send multiple values of known single-values headers in requests or responses (here). This restriction doesn't exist in our HTTP/1 impleme...

Open Graph Description: What is the problem this feature will solve? HTTP/2 includes restrictions that block any attempt to send multiple values of known single-values headers in requests or responses (here). This restric...

X Description: What is the problem this feature will solve? HTTP/2 includes restrictions that block any attempt to send multiple values of known single-values headers in requests or responses (here). This restric...

Opengraph URL: https://github.com/nodejs/node/issues/59651

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Allow multiple single-value headers in HTTP/2 with a new insecure parser option","articleBody":"### What is the problem this feature will solve?\n\nHTTP/2 includes restrictions that block any attempt to send multiple values of known single-values headers in requests or responses ([here](https://github.com/nodejs/node/blob/83c955d8c26087ada9ab54bbd75c6497125d9812/lib/internal/http2/util.js#L785-L789)). \n\nThis restriction doesn't exist in our HTTP/1 implementation:\n\n```js\nconst http = require('http');\n\nhttp.createServer((req, res) =\u003e {\n    res.writeHead(200, { date: ['a', 'b'] });\n    res.end();\n}).listen(9000);\n```\n\nThis sends two `date` headers in the response with no problem at all.\n\nBlocking this is a reasonable default imo (normal applications shouldn't send multiple single-value headers) but is problematic as a hard restriction, because there do exist real clients and servers that do all sorts of technically-invalid-but-parseable things like this. Clients \u0026 servers in Node.js that need to integrate, proxy or emulate these behaviours run into problems when that's blocked (in my case: https://github.com/httptoolkit/httptoolkit/issues/785).\n\n### What is the feature you are proposing to solve the problem?\n\nI'd suggest we add an option to disable this restriction. Technically this appears very easy to do, the question is the API and whether we're happy to do it.\n\nWe do currently already have one insecure funky parsing option for HTTP/2 servers and clients: `strictFieldWhitespaceValidation`.\n\nWe could either add a new option like `strictSingleValueHeaderValidation` defaulting to true, or we could move towards a more general `insecureHTTPParser` option, just like HTTP/1 (potentially sharing the same --insecure-http-parser CLI option) to allow users to explicitly opt into all of those kinds of insecure settings at once (I think most users who want one kind of insecure validation are likely to want all of them - does that seem plausible?). That would allow users to indicate they want to be able to send \u0026 receive content without any validation that's not strictly required for parsing/generating output. In the latter case, I imagine we'd slowly deprecate `strictFieldWhitespaceValidation` and move towards a world where we maintain a single option.\n\n### What alternatives have you considered?\n\nCurrently there's no alternatives - it's impossible to send these requests or responses with Node unless you reimplement HTTP/2 from scratch.\n\nOpening this issue to collect opinions on the options and concept generally here, particularly from @jasnell, @apapirovski and @mildsunrise who've touched on this code in the past.","author":{"url":"https://github.com/pimterry","@type":"Person","name":"pimterry"},"datePublished":"2025-08-27T17:56:55.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/59651/node/issues/59651"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:bb3cc53c-086a-78d1-db0f-ca941c970937
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-idD8CA:39FFB3:2295BD7:31E9CB2:6A4D10DB
html-safe-nonce1a0b82cb0991609227c0d890043027157cbdc0aeac529978f9d794c7f1b67251
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJEOENBOjM5RkZCMzoyMjk1QkQ3OjMxRTlDQjI6NkE0RDEwREIiLCJ2aXNpdG9yX2lkIjoiNTMwMjQ3ODc0NjA5OTE5MjAyNyIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9
visitor-hmacf2fe349e5403b9e4affd4c55ae9632ea38597ce3edd61b42023caf069f60eaa5
hovercard-subject-tagissue:3360332483
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/nodejs/node/59651/issue_layout
twitter:imagehttps://opengraph.githubassets.com/77268a874e72f230e1866d55ee1c3e5e7d1168d94cd9d2c7589f5612ec5e3e3c/nodejs/node/issues/59651
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/77268a874e72f230e1866d55ee1c3e5e7d1168d94cd9d2c7589f5612ec5e3e3c/nodejs/node/issues/59651
og:image:altWhat is the problem this feature will solve? HTTP/2 includes restrictions that block any attempt to send multiple values of known single-values headers in requests or responses (here). This restric...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernamepimterry
hostnamegithub.com
expected-hostnamegithub.com
Nonef02420044fa3730a0607f4a52546bdd73f5ae60187ef57d284ecb6d7f3f1d880
turbo-cache-controlno-preview
go-importgithub.com/nodejs/node git https://github.com/nodejs/node.git
octolytics-dimension-user_id9950313
octolytics-dimension-user_loginnodejs
octolytics-dimension-repository_id27193779
octolytics-dimension-repository_nwonodejs/node
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id27193779
octolytics-dimension-repository_network_root_nwonodejs/node
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
releasef0b6a62c1f0be1086cb0b5b077b82cebe520eb42
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/nodejs/node/issues/59651#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fissues%2F59651
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fissues%2F59651
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=nodejs%2Fnode
Reloadhttps://github.com/nodejs/node/issues/59651
Reloadhttps://github.com/nodejs/node/issues/59651
Reloadhttps://github.com/nodejs/node/issues/59651
Please reload this pagehttps://github.com/nodejs/node/issues/59651
nodejs https://github.com/nodejs
nodehttps://github.com/nodejs/node
Please reload this pagehttps://github.com/nodejs/node/issues/59651
Notifications https://github.com/login?return_to=%2Fnodejs%2Fnode
Fork 36k https://github.com/login?return_to=%2Fnodejs%2Fnode
Star 118k https://github.com/login?return_to=%2Fnodejs%2Fnode
Code https://github.com/nodejs/node
Issues 1.4k https://github.com/nodejs/node/issues
Pull requests 957 https://github.com/nodejs/node/pulls
Actions https://github.com/nodejs/node/actions
Projects https://github.com/nodejs/node/projects
Security and quality 0 https://github.com/nodejs/node/security
Insights https://github.com/nodejs/node/pulse
Code https://github.com/nodejs/node
Issues https://github.com/nodejs/node/issues
Pull requests https://github.com/nodejs/node/pulls
Actions https://github.com/nodejs/node/actions
Projects https://github.com/nodejs/node/projects
Security and quality https://github.com/nodejs/node/security
Insights https://github.com/nodejs/node/pulse
#59917https://github.com/nodejs/node/pull/59917
Allow multiple single-value headers in HTTP/2 with a new insecure parser optionhttps://github.com/nodejs/node/issues/59651#top
#59917https://github.com/nodejs/node/pull/59917
feature requestIssues that request new features to be added to Node.js.https://github.com/nodejs/node/issues?q=state%3Aopen%20label%3A%22feature%20request%22
http2Issues or PRs related to the http2 subsystem.https://github.com/nodejs/node/issues?q=state%3Aopen%20label%3A%22http2%22
https://github.com/pimterry
pimterryhttps://github.com/pimterry
on Aug 27, 2025https://github.com/nodejs/node/issues/59651#issue-3360332483
herehttps://github.com/nodejs/node/blob/83c955d8c26087ada9ab54bbd75c6497125d9812/lib/internal/http2/util.js#L785-L789
httptoolkit/httptoolkit#785https://github.com/httptoolkit/httptoolkit/issues/785
@jasnellhttps://github.com/jasnell
@apapirovskihttps://github.com/apapirovski
@mildsunrisehttps://github.com/mildsunrise
feature requestIssues that request new features to be added to Node.js.https://github.com/nodejs/node/issues?q=state%3Aopen%20label%3A%22feature%20request%22
http2Issues or PRs related to the http2 subsystem.https://github.com/nodejs/node/issues?q=state%3Aopen%20label%3A%22http2%22
Node.js feature requestshttps://github.com/orgs/nodejs/projects/4
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.