wsv 0.8.0 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3439ce5afffd7bfe4dc3e2a18da2d3f9d15ffd10b28e9cc4bb33f5c3e14ada12
-  data.tar.gz: 98e65904c83834cc8e910931f1884f52e652346bad94612a8ba31933e607ff8c
+  metadata.gz: 027bb497b4d78e1d58abd8aee91bc4349439c29425dc374b535587da67b09997
+  data.tar.gz: 5692790c2408ad64761358b3d33efccb439edb0e5c75150beed715bbabfc350e
 SHA512:
-  metadata.gz: 382457dc4151007dca51ab8a550021b06bfe4f4127d5ff40c3c9da7e566b3987ec16b57838b8ce5e30a210d538b87231b9f0f0e5e8b5ef91ef20cc5fdc8f9395
-  data.tar.gz: 2b6210d0c5063c4ba5a8b6c3d723cfe5db3abe9c41b20b6c56a99d64cac0a9b961d694fe2a7b2458250441102ed959034f13f7be169fa0a8102ef46405d8a4f4
+  metadata.gz: 2d866a94d0f52f01e7ea50f69a2818bf2c367d704274c362863af11c71647aa80120fa72964bec31f6bfb05356ec401ced291875b9f0bc5c55f9b6b1b4b28fd8
+  data.tar.gz: 27cdfaa3126c02c54eeb1268fdec08fc64de82a850e2523865280048f93fbd0d95f5c906eb4da26734a80e36c98570c82ed059d71bbab0459361153a4be1fbb9

data/CHANGELOG.md

@@ -1,6 +1,81 @@
 # Changelog
 
-## Unreleased
+## 0.10.0
+
+- Add `--cors` flag. When set, every response carries
+  `Access-Control-Allow-Origin: *` and `Vary: Origin`, and `OPTIONS`
+  preflight requests get `204 No Content` with `Access-Control-Allow-Methods:
+  GET, HEAD, OPTIONS` (echoing `Access-Control-Request-Headers` when
+  present). Unblocks browser fetches from a frontend served on a different
+  port (or a Service Worker) during local development. Matches the `--cors`
+  convention used by `http-server`, `serve`, and `live-server`. Without the
+  flag, no CORS headers are added and `OPTIONS` continues to return `405`.
+- Add `--open` flag that launches the OS default browser at the served URL
+  on startup. Uses `open` (macOS), `xdg-open` (Linux/BSD), or `cmd /c start`
+  (Windows). Best-effort: unsupported platforms or spawn failures are logged
+  but never abort the server. Wildcard binds (`0.0.0.0`, `::`) translate to
+  the matching loopback address for the URL.
+- Custom 404 page convention: when the served directory contains a
+  `404.html` file, it is served as the body of every `404 Not Found`
+  response (`Content-Type: text/html`) instead of the built-in plain
+  text. Matches Jekyll / Hugo / Netlify behaviour. `403` and other
+  error statuses are not rewritten.
+- Add `--spa` flag for single-page-app routing: a request whose path resolves
+  to `404` falls back to the root `index.html` so client-side routers (React
+  Router, Vue Router, etc.) get the SPA shell instead of a real 404. `403`
+  and other errors are unaffected -- dotfile and traversal blocks still
+  apply, and existing files at the requested path are served normally.
+- Send `X-Content-Type-Options: nosniff` on every response so browsers
+  honour the declared `Content-Type` instead of MIME-sniffing the body.
+- TLS / HTTPS support via Ruby's built-in `openssl` (no extra gem dependency).
+  - `--tls` enables HTTPS. Without `--cert / --key`, wsv looks for
+    `~/.config/wsv/cert.pem` and `~/.config/wsv/key.pem` (respecting
+    `XDG_CONFIG_HOME`); if neither is present, an ephemeral self-signed
+    certificate is generated in memory and a warning is printed.
+  - `--cert PATH --key PATH` uses a user-supplied PEM cert / key pair and
+    implies `--tls`. Specifying only one of the two is an error.
+  - `~/.config/wsv/` (or `$XDG_CONFIG_HOME/wsv/`) is the recommended location
+    for mkcert-issued certificates: `mkcert -cert-file ~/.config/wsv/cert.pem
+    -key-file ~/.config/wsv/key.pem localhost 127.0.0.1 ::1`.
+  - The HTTP scheme in the startup banner switches to `https://` when TLS is
+    enabled.
+  - The TLS handshake honours the per-request read deadline, so slow-handshake
+    clients cannot hold a worker beyond the configured timeout.
+
+## 0.9.0
+
+- Normalize the redirect `Location` to an origin-form path. Previously, an
+  absolute-form request target such as `GET http://example.test/docs HTTP/1.1`
+  produced `Location: http://example.test/docs/`; now it always emits
+  `Location: /docs/`.
+- Reject control characters (C0 0x00-0x1F and 0x7F DEL) in the
+  decoded request path with `400`. RFC 3986 disallows them in URL paths;
+  this prevents NUL-byte `ArgumentError` from leaking out of
+  `Wsv::PathResolver` and provides defence-in-depth against CR/LF
+  smuggling alongside the existing response-header validation.
+- Document the local-FS TOCTOU limitation in README's security model:
+  another local process with write access to the served directory can swap
+  files between path resolution and `File.open`. This is acknowledged as
+  out-of-scope for a development tool.
+- Decrement the in-flight connection counter when `Thread.new` itself raises
+  `ThreadError` (e.g. OS thread limit reached). The dispatch returns `503`
+  for the rejected client and the server continues accepting subsequent
+  connections instead of permanently leaking a slot.
+- Stream file responses through `IO.copy_stream` instead of buffering the
+  whole file in memory. Reduces RSS for large files and uses `sendfile(2)`
+  on Linux when available. `Response#body` still materializes to a String
+  for callers; the change is internal to the wire path.
+- Support `Range` requests for static files (`206 Partial Content` with
+  `Content-Range`). Open-ended (`bytes=N-`), suffix (`bytes=-N`), and
+  bounded (`bytes=N-M`) forms are supported. Unsatisfiable ranges return
+  `416`; invalid syntax falls through to a normal `200`.
+- Honour `If-Modified-Since` and return `304 Not Modified` when the file's
+  mtime (truncated to seconds) is at or before the supplied date.
+- Advertise `Accept-Ranges: bytes` on `200` and `206` file responses.
+- Document the public API contract in README: the CLI is the SemVer
+  surface. Ruby classes under `lib/wsv/` are implementation details.
+
+## 0.8.0
 
 - Bound request size: 8 KiB request line, 8 KiB per header line, 16 KiB total
   headers, 100 header lines. Returns 414 / 431 when exceeded.

data/README.md

@@ -1,9 +1,11 @@
 # wsv
 
-`wsv` is a minimal static web server for local previews.
+`wsv` is a zero-dependency static preview server for Ruby projects.
 
 It has no runtime dependencies outside Ruby's standard library. Run `wsv` in a directory and it serves that directory over HTTP.
 
+Requires Ruby 3.2 or later.
+
 ## Installation
 
 ```sh
@@ -14,7 +16,7 @@ For local development:
 
 ```sh
 gem build wsv.gemspec
-gem install ./wsv-0.1.0.gem
+gem install ./wsv-*.gem
 ```
 
 ## Usage
@@ -26,8 +28,11 @@ wsv [options] [directory]
 Examples:
 
 ```sh
-wsv
-wsv public
+wsv                       # serve current directory
+wsv _site                 # Jekyll / Bridgetown output
+wsv build                 # Astro / Hugo output
+wsv --spa dist            # Vite / esbuild / webpack SPA output
+wsv --tls --open          # HTTPS, open browser at startup
 wsv -h 0.0.0.0 -p 3000 ./dist
 ```
 
@@ -36,18 +41,65 @@ Options:
 ```text
 -h, --host HOST    Bind host (default: 127.0.0.1)
 -p, --port PORT    Bind port (default: 8000)
+    --tls          Enable HTTPS (uses ~/.config/wsv/{cert,key}.pem if both present, else self-signed)
+    --cert PATH    TLS certificate file (PEM); implies --tls
+    --key PATH     TLS private key file (PEM); implies --tls
+    --spa          Single-page-app mode: fall back to root index.html on 404
+    --open         Open the served URL in the default browser at startup
+    --cors         Send Access-Control-Allow-Origin: * on every response
     --help         Show help
     --version      Show version
 ```
 
+## TLS / HTTPS
+
+`--tls` enables HTTPS on the chosen `--port`. Three modes:
+
+1. **Ephemeral self-signed** — `wsv --tls` with no cert configured: wsv
+   generates an in-memory self-signed certificate. Browsers will show a
+   security warning; click through "Advanced → Proceed" once per session.
+2. **`~/.config/wsv/` auto-detection (recommended)** — if both
+   `~/.config/wsv/cert.pem` and `~/.config/wsv/key.pem` exist (resolved via
+   `$XDG_CONFIG_HOME` if set), `--tls` uses them. If only one of the two
+   files is present, wsv refuses to start so the misconfiguration does not
+   silently fall back to a self-signed certificate. Combine with
+   [mkcert](https://github.com/FiloSottile/mkcert) to skip browser warnings:
+
+   ```sh
+   mkcert -install     # one-time: register a local CA in your trust stores
+   mkdir -p ~/.config/wsv
+   mkcert -cert-file ~/.config/wsv/cert.pem \
+          -key-file  ~/.config/wsv/key.pem  \
+          localhost 127.0.0.1 ::1
+   chmod 600 ~/.config/wsv/key.pem
+   wsv --tls           # → https://localhost:8000/ with no warning
+   ```
+
+3. **Explicit cert/key files** — `wsv --cert path/to/cert.pem --key path/to/key.pem`
+   for project-specific certificates. Both flags must be provided together.
+
 ## Behavior
 
 - Serves files from the selected directory.
 - Serves `index.html` for directories that contain it.
 - Does not render directory listings.
 - Supports `GET` and `HEAD`.
+- Supports `Range` requests (`206 Partial Content` with `Content-Range`).
+- Honours `If-Modified-Since` and returns `304 Not Modified` when applicable.
 - Rejects paths that resolve outside the served directory.
-- Sends `Cache-Control: no-cache` for local development.
+- Sends `Cache-Control: no-cache` so the browser revalidates each request.
+- With `--spa`, serves the root `index.html` instead of `404` when a path
+  resolves to "not found" (so client-side routers like React Router or
+  Vue Router work). `403` and other errors are unaffected, so dotfile and
+  traversal blocks still apply.
+- If the served directory contains a `404.html` file, it is served as the
+  body of every `404 Not Found` response (with `Content-Type: text/html`)
+  instead of the built-in plain text. Matches the convention of Jekyll,
+  Hugo, and many static hosts.
+- With `--cors`, every response carries `Access-Control-Allow-Origin: *`
+  (and `Vary: Origin`), and `OPTIONS` preflight requests get `204 No Content`
+  with the matching CORS headers. Lets a frontend on a different port (or a
+  Service Worker) fetch assets from `wsv` during local development.
 
 ## Security model
 
@@ -75,23 +127,54 @@ Within that scope it tries to behave defensively:
   (default 10s, configurable). Stalled connections receive `408`.
 - Header injection — CR/LF in response header values is rejected at
   construction time, so user-derived strings cannot inject extra headers.
+- MIME sniffing — every response carries `X-Content-Type-Options: nosniff`
+  so browsers honour the declared `Content-Type` rather than guessing from
+  body contents.
 - Single-client monopolisation — connections are handled by a thread pool
-  capped at `max_connections` (default 8). Excess clients receive `503`.
+  capped at `max_connections` (default 8). Excess clients receive `503`
+  (or are closed without response in TLS mode, since writing plaintext over
+  a half-handshaked TLS socket would corrupt the client's view of the
+  protocol).
 - Transient `accept(2)` errors — per-connection failures (`ECONNABORTED`,
   `EMFILE`, etc.) are logged and skipped instead of killing the server.
 
 ### What `wsv` does NOT do
 
 - Authentication, authorization, or rate limiting.
-- TLS / HTTPS.
-- Range requests, conditional `GET`, or HTTP keep-alive.
+- HTTP keep-alive (each response sets `Connection: close`).
+- HTTP/2. Use Caddy / nginx as a front proxy if you need it.
+- ETags / `If-None-Match`.
 - Production-grade DoS resistance under hostile network load.
+- Defend against TOCTOU attacks from other local processes that can write
+  to the served directory. Path resolution (canonicalisation, dotfile
+  checks, within-root verification) happens before each file is opened;
+  another process that can swap files in the served directory between
+  resolution and read could redirect a request elsewhere on the same
+  machine.
 - Protect a directory you should not be sharing in the first place. The
   bound is the directory you pass on the command line; if it contains
   secrets, do not run `wsv` against it.
 
 If you need any of the above, use a real production server.
 
+## Public API and stability
+
+`wsv` follows [Semantic Versioning](https://semver.org/). The public API
+that SemVer covers is the CLI:
+
+- The flags listed above (`-h` / `--host`, `-p` / `--port`, `--help`,
+  `--version`) and their meanings.
+- The directory argument and the default behaviour when it is omitted.
+- Process exit codes (`0` for success, `1` for usage / setup errors).
+
+Within a major version, `wsv` will not silently change the default bind
+host, default port, the dotfile-blocking rule, or the security posture in
+ways that would surprise an existing user.
+
+The Ruby classes inside `lib/wsv/` are implementation details. They may
+change in any release, including patches. Pin the gem version if you
+embed `wsv` as a library.
+
 ## License
 
 MIT

data/lib/wsv/app.rb

@@ -1,38 +1,141 @@
 # frozen_string_literal: true
 
+require "time"
+require "uri"
+require_relative "cors"
 require_relative "path_resolver"
 require_relative "response"
 
 module Wsv
   class App
     ALLOWED_METHODS = %w[GET HEAD].freeze
+    RANGE_PATTERN = /\Abytes=(\d+)?-(\d+)?\z/
 
-    def initialize(root)
+    def initialize(root, spa: false, cors: false)
       @resolver = PathResolver.new(root)
+      @spa = spa
+      @cors = Cors.new if cors
     end
 
     def call(request)
+      return @cors.preflight(request) if @cors && request.method == "OPTIONS"
+
+      response = build_response(request)
+      @cors ? @cors.overlay(response) : response
+    end
+
+    private
+
+    def build_response(request)
       head = request.head?
 
       unless ALLOWED_METHODS.include?(request.method)
-        return Response.text(405, headers: { "Allow" => "GET, HEAD" }, head: head)
+        return Response.text(405, headers: { "Allow" => allow_methods }, head: head)
       end
 
       raw_path, query = request.target.split("?", 2)
       result = @resolver.resolve(raw_path)
 
-      return Response.text(result.status, head: head) if result.error?
+      # SPA fallback: when the path resolves to 404, retry with "/" so client-side
+      # routes (React Router etc.) get index.html instead of a real 404. Other
+      # error statuses (403/400) are not rewritten, so dotfile / traversal blocks
+      # still take effect.
+      if @spa && result.error? && result.status == 404
+        fallback = @resolver.resolve("/")
+        result = fallback if fallback.file?
+      end
+
+      return error_response(result.status, head: head) if result.error?
       return Response.redirect(redirect_location(raw_path, query), head: head) if result.redirect?
 
-      Response.file(result.file, head: head)
+      file_response(result.file, request, head: head)
     end
 
-    private
+    def allow_methods
+      @cors ? Cors::ALLOW_METHODS : "GET, HEAD"
+    end
+
+    def error_response(status, head:)
+      if status == 404
+        # Custom 404 page convention: when the served root contains a `404.html`
+        # file, serve it as the body of any 404 response (Content-Type: text/html).
+        custom = @resolver.resolve("/404.html")
+        return Response.file(custom.file, status: 404, head: head) if custom.file?
+      end
+      Response.text(status, head: head)
+    end
+
+    def file_response(file, request, head:)
+      return Response.not_modified if not_modified?(file, request.headers["if-modified-since"])
+
+      size = File.size(file)
+      range = parse_range(request.headers["range"], size)
+      case range
+      when :unsatisfiable
+        Response.range_not_satisfiable(size, head: head)
+      when nil
+        Response.file(file, head: head)
+      else
+        Response.file(file, head: head, range: range)
+      end
+    end
+
+    def not_modified?(file, header_value)
+      return false unless header_value
+
+      since = Time.httpdate(header_value)
+      File.mtime(file).to_i <= since.to_i
+    rescue ArgumentError
+      false
+    end
+
+    def parse_range(header_value, file_size)
+      return nil if header_value.nil? || header_value.empty?
+
+      match = header_value.match(RANGE_PATTERN)
+      # Per RFC 7233, an unparseable Range is treated as if absent: fall
+      # through as nil so the caller serves a normal 200 instead of 416.
+      return nil unless match
+
+      first, last = match.captures
+      if first.nil? && last.nil?
+        nil
+      elsif first.nil?
+        suffix_range(last.to_i, file_size)
+      elsif last.nil?
+        open_range(first.to_i, file_size)
+      else
+        bounded_range(first.to_i, last.to_i, file_size)
+      end
+    end
+
+    def suffix_range(suffix, file_size)
+      return :unsatisfiable if suffix.zero? || file_size.zero?
+
+      [file_size - suffix, 0].max..(file_size - 1)
+    end
+
+    def open_range(first, file_size)
+      return :unsatisfiable if first >= file_size
+
+      first..(file_size - 1)
+    end
+
+    def bounded_range(first, last, file_size)
+      return :unsatisfiable if first > last || first >= file_size
+
+      last = file_size - 1 if last >= file_size
+      first..last
+    end
 
     def redirect_location(raw_path, query)
-      location = raw_path.end_with?("/") ? raw_path : "#{raw_path}/"
+      path = URI(raw_path.to_s).path
+      path = "/" if path.empty?
+      location = path.end_with?("/") ? path : "#{path}/"
       location += "?#{query}" if query && !query.empty?
       location
+    rescue URI::InvalidURIError
+      "/"
     end
   end
 end

data/lib/wsv/cli.rb

@@ -21,7 +21,13 @@ module Wsv
       return 0 if options[:handled]
 
       root = resolve_root(options[:directory])
-      server = Server.new(host: options[:host], port: options[:port], root: root, out: @out, err: @err)
+      tls = resolve_tls(options)
+      server = Server.new(
+        host: options[:host], port: options[:port], root: root,
+        out: @out, err: @err, tls: tls,
+        spa: options[:spa] || false, open: options[:open] || false,
+        cors: options[:cors] || false
+      )
       server.start
       0
     rescue OptionParser::ParseError, ArgumentError => e
@@ -33,14 +39,14 @@ module Wsv
       1
     end
 
-    def parse_options(args)
+    def parse_options(args) # rubocop:disable Metrics/AbcSize
       options = {
         host: DEFAULT_HOST,
         port: DEFAULT_PORT,
         directory: Dir.pwd
       }
 
-      parser = OptionParser.new do |opts|
+      parser = OptionParser.new do |opts| # rubocop:disable Metrics/BlockLength
         opts.banner = "Usage: wsv [options] [directory]"
 
         opts.on("-h", "--host HOST", "Bind host (default: #{DEFAULT_HOST})") do |host|
@@ -51,6 +57,30 @@ module Wsv
           options[:port] = validate_port(port)
         end
 
+        opts.on("--tls", "Enable HTTPS (uses ~/.config/wsv/{cert,key}.pem if both present, else self-signed)") do
+          options[:tls] = true
+        end
+
+        opts.on("--cert PATH", "TLS certificate file (PEM); implies --tls") do |path|
+          options[:cert] = path
+        end
+
+        opts.on("--key PATH", "TLS private key file (PEM); implies --tls") do |path|
+          options[:key] = path
+        end
+
+        opts.on("--spa", "Single-page-app mode: fall back to root index.html on 404") do
+          options[:spa] = true
+        end
+
+        opts.on("--open", "Open the served URL in the default browser at startup") do
+          options[:open] = true
+        end
+
+        opts.on("--cors", "Send Access-Control-Allow-Origin: * on every response") do
+          options[:cors] = true
+        end
+
         opts.on("--help", "Show help") do
           @out.puts opts
           options[:handled] = true
@@ -60,6 +90,14 @@ module Wsv
           @out.puts Wsv::VERSION
           options[:handled] = true
         end
+
+        opts.separator ""
+        opts.separator "Examples:"
+        opts.separator "    wsv                  # serve current dir"
+        opts.separator "    wsv _site            # Jekyll / Bridgetown output"
+        opts.separator "    wsv build            # Astro / Hugo output"
+        opts.separator "    wsv --spa dist       # Vite / esbuild / webpack SPA output"
+        opts.separator "    wsv --tls --open     # HTTPS, open browser"
       end
 
       parser.parse!(args)
@@ -84,5 +122,13 @@ module Wsv
 
       port
     end
+
+    def resolve_tls(options)
+      return nil unless options[:tls] || options[:cert] || options[:key]
+
+      TlsContext::Resolver.resolve(cert_path: options[:cert], key_path: options[:key])
+    rescue OpenSSL::OpenSSLError => e
+      raise ArgumentError, "TLS configuration error: #{e.message}"
+    end
   end
 end

data/lib/wsv/cors.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative "response"
+
+module Wsv
+  class Cors
+    ALLOW_ORIGIN = "*"
+    ALLOW_METHODS = "GET, HEAD, OPTIONS"
+    MAX_AGE = "86400"
+
+    def preflight(request)
+      headers = {
+        "Access-Control-Allow-Origin" => ALLOW_ORIGIN,
+        "Access-Control-Allow-Methods" => ALLOW_METHODS,
+        "Access-Control-Max-Age" => MAX_AGE,
+        "Vary" => "Origin"
+      }
+      requested = request.headers["access-control-request-headers"]
+      headers["Access-Control-Allow-Headers"] = requested if requested
+      Response.new(status: 204, headers: headers)
+    end
+
+    def overlay(response)
+      response.with_headers(
+        "Access-Control-Allow-Origin" => ALLOW_ORIGIN,
+        "Vary" => "Origin"
+      )
+    end
+  end
+end

data/lib/wsv/path_resolver.rb

@@ -4,6 +4,10 @@ require "uri"
 
 module Wsv
   class PathResolver
+    # RFC 3986 disallows control characters in URL paths. Reject them after
+    # percent-decoding so callers cannot smuggle CR/LF, NUL, etc. through.
+    INVALID_PATH_CHARS = /[\u0000-\u001f\u007f]/
+
     class Result
       attr_reader :status, :file
 
@@ -46,6 +50,12 @@ module Wsv
       decoded = decode(raw_path)
       return Result.error(400) unless decoded
 
+      # Layered defense:
+      #   1. URL-level: reject `..` traversal and dotfile segments before
+      #      touching the filesystem.
+      #   2. realpath-level: re-check after symlinks resolve, so an internal
+      #      symlink cannot smuggle access to outside-root paths or to
+      #      `.git/` / `.env` etc. via a non-dotfile-looking URL.
       relative = decoded.sub(%r{\A/+}, "")
       return Result.error(403) if hidden_segment?(relative)
 
@@ -77,7 +87,10 @@ module Wsv
 
     def decode(raw_path)
       path = URI(raw_path.to_s).path
-      percent_decode(path)
+      decoded = percent_decode(path)
+      return nil if decoded.nil? || decoded.match?(INVALID_PATH_CHARS)
+
+      decoded
     rescue URI::InvalidURIError
       nil
     end

data/lib/wsv/request/parser.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Wsv
+  class Request
+    class Parser
+      REQUEST_LINE_LIMIT = 8192
+      HEADER_LINE_LIMIT = 8192
+      HEADER_COUNT_LIMIT = 100
+      HEADER_TOTAL_LIMIT = 16_384
+
+      def initialize(io)
+        @io = io
+      end
+
+      def parse
+        line = @io.gets("\n", REQUEST_LINE_LIMIT)
+        return :empty unless line
+        raise TooLarge, 414 if line.bytesize >= REQUEST_LINE_LIMIT && !line.end_with?("\n")
+
+        method, target, version = line.split(/\s+/, 3)
+        version = version&.strip
+        return :malformed unless method && target && version&.start_with?("HTTP/")
+
+        Request.new(method: method, target: target, version: version, headers: read_headers)
+      end
+
+      private
+
+      def read_headers
+        headers = {}
+        total = 0
+        count = 0
+        while (line = @io.gets("\n", HEADER_LINE_LIMIT))
+          raise TooLarge, 431 if line.bytesize >= HEADER_LINE_LIMIT && !line.end_with?("\n")
+
+          stripped = line.delete_suffix("\r\n").delete_suffix("\n").delete_suffix("\r")
+          break if stripped.empty?
+
+          count += 1
+          raise TooLarge, 431 if count > HEADER_COUNT_LIMIT
+
+          total += line.bytesize
+          raise TooLarge, 431 if total > HEADER_TOTAL_LIMIT
+
+          name, value = stripped.split(":", 2)
+          headers[name.downcase] = value.strip if name && value
+        end
+        headers
+      end
+    end
+  end
+end

data/lib/wsv/request/too_large.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Wsv
+  class Request
+    # Raised by Request::Parser when the incoming request line, an individual
+    # header line, the total header bytes, or the header count exceeds the
+    # configured limit. The status_code chooses between 414 (URI Too Long)
+    # and 431 (Request Header Fields Too Large) at the call site.
+    class TooLarge < StandardError
+      attr_reader :status_code
+
+      def initialize(status_code)
+        super("request exceeded size limit (#{status_code})")
+        @status_code = status_code
+      end
+    end
+  end
+end