Lesson 3.3

Validating content-length

Why a duplicate or non-numeric content-length gets a 400 instead of a guess, the request-smuggling hazard behind it, and the character-by-character validation that closes it.

25 minsrc/parser.js
  • Explain how two parsers disagreeing about a body's length becomes request smuggling.
  • Reject a duplicate content-length and a non-numeric content-length with HttpError(400, ERR_CONTENT_LENGTH).
  • Validate the raw digits yourself instead of trusting Number or parseInt to agree.
Locked

This chapter is part of the framework capstone. Chapters 1 and 2 are free to build - unlock the rest to keep going.

Unlock the depth