Add 34 new HTTP/1.1 compliance, smuggling, and robustness tests (46 → 80)

New tests cover RFC 9110/9112 requirements for: comma-separated CL,
chunked encoding edge cases (not-final, bare semicolon, hex prefix,
underscores, leading spaces, missing CRLF, overflow, long extensions),
TE in HTTP/1.0, bare CR in headers, Host validation (duplicate same,
userinfo, path), asterisk-form, absolute-form, CONNECT empty port,
method case sensitivity, leading CRLF, unknown TE, NUL in headers,
and HTTP/2 preface detection. Includes probe STRICT dict entries and
glossary documentation for all new tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: MDA2AV

.github/workflows/probe.yml

@@ -370,6 +370,188 @@ jobs:
                 'expected': '400/close/timeout',
                 'reason': 'Whitespace-only request line is not valid HTTP'
             },
+            # ── New Compliance tests ───────────────────────────────────
+            'COMP-WHITESPACE-BEFORE-HEADERS': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Whitespace before first header is invalid (RFC 9112 §2.2)'
+            },
+            'COMP-DUPLICATE-HOST-SAME': {
+                'accept': [400], 'close_ok': False, 'timeout_ok': False,
+                'expected': '400',
+                'reason': 'MUST respond with 400 for more than one Host header (RFC 9112 §3.2)'
+            },
+            'COMP-HOST-WITH-USERINFO': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Host header with userinfo is invalid (RFC 9112 §3.2)'
+            },
+            'COMP-HOST-WITH-PATH': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Host header with path component is invalid (RFC 9112 §3.2)'
+            },
+            'COMP-ASTERISK-WITH-GET': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Asterisk-form only valid for OPTIONS (RFC 9112 §3.2.4)'
+            },
+            'COMP-OPTIONS-STAR': {
+                'accept': list(range(200, 300)),
+                'close_ok': False, 'timeout_ok': False,
+                'expected': '2xx',
+                'reason': 'OPTIONS * is valid asterisk-form (RFC 9112 §3.2.4)'
+            },
+            'COMP-UNKNOWN-TE-501': {
+                'accept': [400, 501], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400/501 or close',
+                'reason': 'Unknown TE without CL should be rejected (RFC 9112 §6.1)'
+            },
+            'COMP-LEADING-CRLF': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'warn_on_2xx': True, 'scored': False,
+                'expected': '400 or 2xx',
+                'reason': 'Leading CRLF — server MAY ignore per RFC 9112 §2.2'
+            },
+            'COMP-ABSOLUTE-FORM': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'warn_on_2xx': True, 'scored': False,
+                'expected': '400 or 2xx',
+                'reason': 'Absolute-form is valid per RFC 9112 §3.2.2'
+            },
+            'COMP-METHOD-CASE': {
+                'accept': [400, 405, 501], 'close_ok': True, 'timeout_ok': False,
+                'warn_on_2xx': True, 'scored': False,
+                'expected': '400/405/501 or 2xx',
+                'reason': 'Methods are case-sensitive per RFC 9110 §9.1 — 2xx means case-insensitive'
+            },
+            'COMP-CONNECT-EMPTY-PORT': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'CONNECT with empty port is invalid (RFC 9112 §3.2.3)'
+            },
+            # ── New Smuggling tests (scored) ───────────────────────────
+            'SMUG-CL-COMMA-DIFFERENT': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Comma-separated different CL values must be rejected (RFC 9110 §8.6)'
+            },
+            'SMUG-TE-NOT-FINAL-CHUNKED': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Chunked must be the final encoding (RFC 9112 §7)'
+            },
+            'SMUG-TE-HTTP10': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'TE in HTTP/1.0 is invalid (RFC 9112 §6.1)'
+            },
+            'SMUG-CHUNK-BARE-SEMICOLON': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Bare semicolon in chunk size without extension name (RFC 9112 §7.1.1)'
+            },
+            'SMUG-BARE-CR-HEADER-VALUE': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Bare CR must be rejected or replaced with SP (RFC 9112 §2.2)'
+            },
+            'SMUG-CL-OCTAL': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Octal prefix in CL is not valid DIGIT syntax (RFC 9110 §8.6)'
+            },
+            'SMUG-CHUNK-UNDERSCORE': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Underscores in chunk size are not valid HEXDIG (RFC 9112 §7.1)'
+            },
+            'SMUG-TE-EMPTY-VALUE': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Empty TE value with CL is ambiguous (RFC 9112 §6.1)'
+            },
+            'SMUG-TE-LEADING-COMMA': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Leading comma in TE is malformed (RFC 9112 §6.1)'
+            },
+            'SMUG-TE-DUPLICATE-HEADERS': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Two TE headers with CL is ambiguous framing (RFC 9112 §6.1)'
+            },
+            'SMUG-CHUNK-HEX-PREFIX': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': '0x prefix in chunk size is not valid HEXDIG (RFC 9112 §7.1)'
+            },
+            'SMUG-CL-HEX-PREFIX': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Hex prefix in CL is not valid DIGIT syntax (RFC 9110 §8.6)'
+            },
+            'SMUG-CL-INTERNAL-SPACE': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Internal space in CL value is not valid DIGIT (RFC 9110 §8.6)'
+            },
+            'SMUG-CHUNK-LEADING-SP': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Leading space in chunk size is not valid HEXDIG (RFC 9112 §7.1)'
+            },
+            'SMUG-CHUNK-MISSING-TRAILING-CRLF': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Chunk data without trailing CRLF is malformed (RFC 9112 §7.1)'
+            },
+            # ── New Smuggling tests (unscored) ─────────────────────────
+            'SMUG-TRANSFER_ENCODING': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'warn_on_2xx': True, 'scored': False,
+                'expected': '400 or 2xx',
+                'reason': 'Underscore makes it a different header — 2xx is valid'
+            },
+            'SMUG-CL-COMMA-SAME': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'warn_on_2xx': True, 'scored': False,
+                'expected': '400 or 2xx',
+                'reason': 'RFC allows merging identical CL values (RFC 9110 §8.6)'
+            },
+            'SMUG-CHUNKED-WITH-PARAMS': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'warn_on_2xx': True, 'scored': False,
+                'expected': '400 or 2xx',
+                'reason': 'Parameters on chunked encoding — some servers ignore'
+            },
+            'SMUG-EXPECT-100-CL': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'warn_on_2xx': True, 'scored': False,
+                'expected': '400 or 2xx',
+                'reason': 'Expect: 100-continue handling varies (RFC 9110 §10.1.1)'
+            },
+            # ── New Malformed Input tests ──────────────────────────────
+            'MAL-NUL-IN-HEADER-VALUE': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'NUL byte in header value is invalid'
+            },
+            'MAL-CHUNK-SIZE-OVERFLOW': {
+                'accept': [400], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400 or close',
+                'reason': 'Chunk size overflow must be rejected'
+            },
+            'MAL-H2-PREFACE': {
+                'accept': [400, 505], 'close_ok': True, 'timeout_ok': True,
+                'expected': '400/505/close/timeout',
+                'reason': 'HTTP/2 preface sent to HTTP/1.1 server is not valid HTTP/1.1'
+            },
+            'MAL-CHUNK-EXTENSION-LONG': {
+                'accept': [400, 431], 'close_ok': True, 'timeout_ok': False,
+                'expected': '400/431 or close',
+                'reason': '100 KB chunk extension exceeds reasonable limits'
+            },
         }
 
         # ── Evaluate one server's results ────────────────────────────

docs/content/docs/headers/_index.md

@@ -28,4 +28,5 @@ HTTP header fields follow a strict grammar: `field-name ":" OWS field-value OWS`
   {{< card link="empty-header-name" title="EMPTY-HEADER-NAME" subtitle="Leading colon with no field name." >}}
   {{< card link="invalid-header-name" title="INVALID-HEADER-NAME" subtitle="Non-token characters in field name." >}}
   {{< card link="header-no-colon" title="HEADER-NO-COLON" subtitle="Header line with no colon separator." >}}
+  {{< card link="whitespace-before-headers" title="WHITESPACE-BEFORE-HEADERS" subtitle="Whitespace before the first header line." >}}
 {{< /cards >}}

docs/content/docs/headers/whitespace-before-headers.md

@@ -0,0 +1,29 @@
+---
+title: "WHITESPACE-BEFORE-HEADERS"
+description: "WHITESPACE-BEFORE-HEADERS test documentation"
+weight: 6
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-WHITESPACE-BEFORE-HEADERS` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 Section 2.2](https://www.rfc-editor.org/rfc/rfc9112#section-2.2) |
+| **Requirement** | SHOULD reject |
+| **Expected** | `400` or close |
+
+## What it sends
+
+A request with whitespace (SP) before the first header line, between the request-line and the headers.
+
+## What the RFC says
+
+> "A recipient that receives whitespace between the start-line and the first header field MUST either reject the message as invalid or consume each whitespace-preceded line without further processing of it." — RFC 9112 Section 2.2
+
+## Why it matters
+
+Whitespace before headers can confuse parsers about where headers begin, potentially enabling smuggling.
+
+## Sources
+
+- [RFC 9112 Section 2.2](https://www.rfc-editor.org/rfc/rfc9112#section-2.2)

docs/content/docs/host-header/_index.md

@@ -22,4 +22,7 @@ This single sentence covers three violations:
 {{< cards >}}
   {{< card link="missing-host" title="MISSING-HOST" subtitle="No Host header present. MUST respond with 400." >}}
   {{< card link="duplicate-host" title="DUPLICATE-HOST" subtitle="Two Host headers with different values. MUST respond with 400." >}}
+  {{< card link="duplicate-host-same" title="DUPLICATE-HOST-SAME" subtitle="Two Host headers with identical values. MUST respond with 400." >}}
+  {{< card link="host-with-userinfo" title="HOST-WITH-USERINFO" subtitle="Host header with userinfo (user@host). Invalid field value." >}}
+  {{< card link="host-with-path" title="HOST-WITH-PATH" subtitle="Host header with path component. Invalid field value." >}}
 {{< /cards >}}

docs/content/docs/host-header/duplicate-host-same.md

@@ -0,0 +1,29 @@
+---
+title: "DUPLICATE-HOST-SAME"
+description: "DUPLICATE-HOST-SAME test documentation"
+weight: 3
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-DUPLICATE-HOST-SAME` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 Section 3.2](https://www.rfc-editor.org/rfc/rfc9112#section-3.2) |
+| **Requirement** | MUST respond with 400 |
+| **Expected** | `400` |
+
+## What it sends
+
+A request with two identical Host headers.
+
+## What the RFC says
+
+> "A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that... contains more than one Host header field line..." — RFC 9112 Section 3.2
+
+## Why it matters
+
+The RFC mandates 400 for *any* duplicate Host headers, regardless of whether the values match. Some servers incorrectly allow identical duplicates.
+
+## Sources
+
+- [RFC 9112 Section 3.2](https://www.rfc-editor.org/rfc/rfc9112#section-3.2)

docs/content/docs/host-header/host-with-path.md

@@ -0,0 +1,29 @@
+---
+title: "HOST-WITH-PATH"
+description: "HOST-WITH-PATH test documentation"
+weight: 5
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-HOST-WITH-PATH` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 Section 3.2](https://www.rfc-editor.org/rfc/rfc9112#section-3.2) |
+| **Requirement** | MUST respond with 400 |
+| **Expected** | `400` or close |
+
+## What it sends
+
+A request with `Host: hostname:port/path`.
+
+## What the RFC says
+
+> "A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that... contains... a Host header field with an invalid field value." — RFC 9112 Section 3.2. The Host header grammar is `uri-host [ ":" port ]` with no path component allowed.
+
+## Why it matters
+
+A path in the Host header is a clear sign of manipulation. If a reverse proxy uses the Host to route, a path component could alter routing.
+
+## Sources
+
+- [RFC 9112 Section 3.2](https://www.rfc-editor.org/rfc/rfc9112#section-3.2)

docs/content/docs/host-header/host-with-userinfo.md

@@ -0,0 +1,30 @@
+---
+title: "HOST-WITH-USERINFO"
+description: "HOST-WITH-USERINFO test documentation"
+weight: 4
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-HOST-WITH-USERINFO` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 Section 3.2](https://www.rfc-editor.org/rfc/rfc9112#section-3.2) |
+| **Requirement** | MUST respond with 400 |
+| **Expected** | `400` or close |
+
+## What it sends
+
+A request with `Host: user@hostname:port`.
+
+## What the RFC says
+
+> "A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that... contains... a Host header field with an invalid field value." — RFC 9112 Section 3.2. The Host header grammar is `uri-host [ ":" port ]` — no userinfo is permitted.
+
+## Why it matters
+
+The userinfo component (`user@`) is not part of the Host grammar. A server that accepts it may be tricked into routing requests incorrectly.
+
+## Sources
+
+- [RFC 9112 Section 3.2](https://www.rfc-editor.org/rfc/rfc9112#section-3.2)
+- [RFC 3986 Section 3.2.1](https://www.rfc-editor.org/rfc/rfc3986#section-3.2.1)

docs/content/docs/line-endings/_index.md

@@ -21,3 +21,9 @@ RFC 9112 Section 2.2 defines that HTTP/1.1 messages use **CRLF** (`\r\n`) as the
   {{< card link="bare-lf-header" title="BARE-LF-HEADER" subtitle="Bare LF in a header field. Recipients MAY accept." >}}
   {{< card link="cr-only-line-ending" title="CR-ONLY-LINE-ENDING" subtitle="CR without LF. MUST consider invalid or replace with SP." >}}
 {{< /cards >}}
+
+### Unscored
+
+{{< cards >}}
+  {{< card link="leading-crlf" title="LEADING-CRLF" subtitle="Leading CRLF before request-line. Server MAY ignore." >}}
+{{< /cards >}}

docs/content/docs/line-endings/leading-crlf.md

@@ -0,0 +1,29 @@
+---
+title: "LEADING-CRLF"
+description: "LEADING-CRLF test documentation"
+weight: 4
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-LEADING-CRLF` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 Section 2.2](https://www.rfc-editor.org/rfc/rfc9112#section-2.2) |
+| **Requirement** | MAY ignore (unscored) |
+| **Expected** | `400` or `2xx` |
+
+## What it sends
+
+Two leading CRLF sequences before the request-line.
+
+## What the RFC says
+
+> "In the interest of robustness, a server that is expecting to receive and parse a request-line SHOULD ignore at least one empty line (CRLF) received prior to the request-line." — RFC 9112 Section 2.2
+
+## Why it matters
+
+This is an unscored test. The RFC encourages servers to tolerate leading CRLFs. Either `400` (strict) or `2xx` (tolerant) is acceptable.
+
+## Sources
+
+- [RFC 9112 Section 2.2](https://www.rfc-editor.org/rfc/rfc9112#section-2.2)

docs/content/docs/malformed-input/_index.md

@@ -32,4 +32,8 @@ These tests send pathological, oversized, or completely invalid payloads. The go
   {{< card link="incomplete-request" title="INCOMPLETE-REQUEST" subtitle="Partial HTTP request." >}}
   {{< card link="empty-request" title="EMPTY-REQUEST" subtitle="Zero bytes sent." >}}
   {{< card link="whitespace-only-line" title="WHITESPACE-ONLY-LINE" subtitle="Only spaces/tabs, no method or URI." >}}
+  {{< card link="nul-in-header-value" title="NUL-IN-HEADER-VALUE" subtitle="NUL byte in header value." >}}
+  {{< card link="chunk-size-overflow" title="CHUNK-SIZE-OVERFLOW" subtitle="Chunk size integer overflow." >}}
+  {{< card link="h2-preface" title="H2-PREFACE" subtitle="HTTP/2 preface sent to HTTP/1.1 server." >}}
+  {{< card link="chunk-extension-long" title="CHUNK-EXTENSION-LONG" subtitle="100KB chunk extension value." >}}
 {{< /cards >}}