RFC 9112 for HTTP/1.1 refers to RFC 3986 for the path segment of the HTTP header:
The rules below are defined in [URI]:
absolute-URI = <absolute-URI, see [URI], Section 4.3>
authority = <authority, see [URI], Section 3.2>
uri-host = <host, see [URI], Section 3.2.2>
port = <port, see [URI], Section 3.2.3>
query = <query, see [URI], Section 3.4>
Therefore we should check whether the web framework is compliant to RFC 3986 for URI handling. This includes cases such as:
- Allowing to access percent encoded resources (such as
%2C for a /)
- Sending an empty path (so
instead of /)
- Sending absolute uris (such as
GET https://web.site/path/)
- Accepting an asterisk (such as
OPTIONS *)
- Allowing path segments (such as
GET /a/b/../c which has to be normalized to /a/c)
- Empty query (
/search?)
- ...
RFC 9112 for HTTP/1.1 refers to RFC 3986 for the path segment of the HTTP header:
Therefore we should check whether the web framework is compliant to RFC 3986 for URI handling. This includes cases such as:
%2Cfor a/)/)GET https://web.site/path/)OPTIONS *)GET /a/b/../cwhich has to be normalized to/a/c)/search?)