HTTP methods with '-' char
mdounin at mdounin.ru
Thu May 22 13:22:58 UTC 2014
On Thu, May 22, 2014 at 02:29:23AM -0300, George Fleury wrote:
> Hi all,
> i'm porting apache https mod_cluster to NGINX, however the methods used for internal control mod_cluster
> use the character '-' (ex: ENABLE-APP), and for NGINX these methods are invalid because of character '- ‘.
> Now comes my doubts, gave a quick read in RFCs 2616 and 822 and found nothing saying that the '-' character
> can not be used in token methods of http/1.1. Is that right or there is a reason?
As of now, nginx doesn't allow any characters other than uppercase
latin letters and "_" in method names. While this is stricter
than what HTTP requires, though covers almost all known valid
uses, thus limiting potential attack vectors.
See the thread here for previous discussion on this:
More information about the nginx-devel