Plug.Conn – Erroneous validation of HTTP header keys?

silverdr · December 10, 2021, 9:01pm

HTTP header fields, […] follow the same generic format as that given in Section 3.1 of RFC 822 [9]. Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive.

and e. g. section 6.2 (and all other sources I checked) list response headers keys in mixed case, what is the point of:

Plug.Conn.InvalidHeaderError) header key is not lowercase: "WWW-Authenticate"

error I receive when testing the functionality, which returns the above header?

al2o3cr · December 11, 2021, 12:33am

The comment in the documentation for Plug.Conn.put_req_header sounds VERY relevant:

github.com

elixir-plug/plug/blob/f7fbe26e7148374c4d37bde41540be2844056aa1/lib/plug/conn.ex#L627-L633

    
      
          Because header keys are case-insensitive in both HTTP/1.1 and HTTP/2,
          it is recommended for header keys to be in lowercase, to avoid sending
          duplicate keys in a request.
          Additionally, requests with mixed-case headers served over HTTP/2 are not
          considered valid by common clients, resulting in dropped requests.
          As a convenience, when using the `Plug.Adapters.Conn.Test` adapter, any
          headers that aren't lowercase will raise a `Plug.Conn.InvalidHeaderError`.

silverdr · December 11, 2021, 10:54am

Thank you for pointing this out. Now I know where it comes from. Apparently I was so baffled that I didn’t even think this could be a documented “feature”.