Lesson 3.3
Validating content-length
Why a duplicate or non-numeric content-length gets a 400 instead of a guess, the request-smuggling hazard behind it, and the character-by-character validation that closes it.
What you will build
- Explain how two parsers disagreeing about a body's length becomes request smuggling.
- Reject a duplicate content-length and a non-numeric content-length with HttpError(400, ERR_CONTENT_LENGTH).
- Validate the raw digits yourself instead of trusting Number or parseInt to agree.