TsgcWebSocketHTTPServer › Properties › StrictRequestParsing
Rejects ambiguous HTTP requests used in request-smuggling attacks and applies stricter chunked-encoding validation.
property StrictRequestParsing: Boolean read GetStrictRequestParsing write SetStrictRequestParsing;True
When StrictRequestParsing is enabled the server rejects, with HTTP status 400 (Bad Request), any HTTP request that carries BOTH a Content-Length and a Transfer-Encoding header. That combination is ambiguous about where the request body ends, and it is the basis of HTTP request-smuggling (TE.CL / CL.TE desync) attacks, where a front-end proxy and the back-end server disagree on request boundaries and an attacker smuggles a second request past the proxy. With strict parsing the server also applies tighter validation of chunked transfer encoding, rejecting malformed chunk sizes and trailers.
This property is enabled by default and should remain enabled on any server reachable from untrusted networks, especially when it sits behind a reverse proxy or load balancer. Disable it only to interoperate with a non-conformant client that legitimately sends both headers.
oServer := TsgcWebSocketHTTPServer.Create(nil);
oServer.Port := 80;
// reject ambiguous Content-Length + Transfer-Encoding requests (HTTP 400)
oServer.StrictRequestParsing := true;
oServer.Active := true;