Use --insecure-http-parser to avoid issues with bad upstream responses

pimterry · pimterry · commit e2dcd2ebf3a8 · 2022-09-19T23:52:01.000+02:00
Previously, the server used the strict HTTP parser (introduced in Node
v12 I think?) which intentionally aggresively rejects responses that
don't strictly follow the rules, to avoid request smuggling. In our
case, we want to allow request smuggling: the response we forward should
*exactly* match the response we receive, wherever possible, even if the
response was stupid.
diff --git a/src/index.ts b/src/index.ts
@@ -363,7 +363,10 @@ if (!amMainInstance) {
                 NODE_SKIP_PLATFORM_CHECK: '1',
                 NODE_OPTIONS:
                     process.env.HTTPTOOLKIT_NODE_OPTIONS || // Allow manually configuring node options
-                    "--max-http-header-size=102400" // By default, set max header size to 100KB
+                    [
+                        "--max-http-header-size=102400", // By default, set max header size to 100KB
+                        "--insecure-http-parser" // Allow invalid HTTP, e.g. header values - we'd rather be invisible than strict
+                    ].join(' ')
             })
         });
 
