Mark Nottingham
Mark Nottingham
Maybe an "efficiency" view?
Because some implementations will treat a header named "Foo" differently than one named "Foo ", and this can enable attacks like HTTP response smuggling. See http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-11#section-3.2
Use thor.error.HeaderSpaceError
The header isn't highlighted, probably because of the whitespace.
Sounds reasonable.
EricL says HAR would be good enough for now.
Looking at the state of SSL support in Python, my hopes aren't high. Specifically, it looks like making it non-blocking is going to be challenging, although the Twisted folks have...
Preliminary support is now in Thor; no changes needed in RED to take advantage of it. Note that certificates are not checked, nor are any other SSL-specfic checks made (yet).
HTTPS-related checks: - v2/v3/tls - HttpOnly cookies - cert validation (expiration, domain match, etc.) - ca quality - cipher strength - HSTS
Also, suggest Cache-Control: public (as per UserVoice feedback)