Rack 3.0 HTTP/2 headers format #4000
Description
Starting Rack 3.0 it's enforced at least in development mode to conform with HTTP/2 specification. It's touching in many aspects of the response and especially on header keys format.
It's recommended/enforced to have lower-case header keys in response. Technically, HTTP spec defines header keys as case-insensitive
Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive.
https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
At the same time it's a potentially-dangerous move:
I think requiring lower case headers has the potential to break lots of rack applications, frameworks, and middleware. However, it would also simplify a lot of code in the long run. Since HTTP/2 requires it and HTTP/1 works fine with it, it seems a reasonable change for SPEC. I definitely prefer this approach over requiring that response headers be case insensitive.
(by jeremyevans)
But I think we should keep an 👀 on that progress.
Note
In AppSec we return 403 response if InApp-WAF rule triggered and blocked the request. We have camel-case headers set in response object.
Thanks @y9v for investigation support