ASVS Requirement 4.2.1

• Level: 2
• Chapter: V4 API and Web Service
• Section: V4.2 HTTP Message Structure Validation
• Source: 0x13-V4-API-and-Web-Service.md

Description

Verify that all application components (including load balancers, firewalls, and application servers) determine boundaries of incoming HTTP messages using the appropriate mechanism for the HTTP version to prevent HTTP request smuggling. In HTTP/1.x, if a Transfer-Encoding header field is present, the Content-Length header must be ignored per RFC 2616. When using HTTP/2 or HTTP/3, if a Content-Length header field is present, the receiver must ensure that it is consistent with the length of the DATA frames.