Because a couple of people have reached out to enquire, I figured I’ll pre-emptively post here)
Just a note that Bandit 1.4.0+ is safe against the latest HTTP/2 continuation flood attack.
Versions prior to 1.4.0 are not safe, however. Previously, we did not check header size until decompression, which happens only after we got a complete header set. This is in fact the exact thing the attack exploits.
(Of note, this was actually one of the main reasons behind the breaking change around max_header_block_size that went into 1.4.0. This gap was on my radar forever, and indeed this whole attack vector is pretty obvious from an implementor’s perspective; i’m surprised it’s only making news now).
Cowboy looks to be safe as well, since 2.11 or so.
