The web server must terminate the connection if server-level exceptions are triggered when handling requests to prevent HTTP request smuggling attacks.

Description

<VulnDiscussion>The web server defines a set of exceptions for every HTTP status code. Each exception class has a status code according to RFC 2068: Codes with 100-300 are not really errors; 400s are client errors, and 500s are server errors. If not directly specified, headers will be added to the default response headers. In the event of an anomaly or exception during the processing of requests, it is safer to terminate the connection to prevent malformed requests from exploiting potential protocol vulnerabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>