Use strictSingleValueFields:false to support proxying semi-valid HTTP/2

pimterry · pimterry · commit 8c8cdba2a74d · 2026-03-06T13:42:46.000+01:00
diff --git a/src/rules/requests/request-step-impls.ts b/src/rules/requests/request-step-impls.ts
@@ -790,6 +790,12 @@ export class PassThroughStepImpl extends PassThroughStep {
                     ? rawHeadersToObjectPreservingCase(rawHeaders)
                     : flattenPairedRawHeaders(rawHeaders) as any,
                 setDefaultHeaders: shouldTryH2Upstream, // For now, we need this for unexpected H2->H1 header fallback
+                ...({
+                    // Disable strict HTTP/2 single-value field validation, extracted here
+                    // due to types. Needed for compatibility with weird servers, Node 25.7+
+                    strictSingleValueFields: false,
+                }),
+
                 lookup: getDnsLookupFunction(this.lookupOptions) as typeof dns.lookup,
                 // ^ Cast required to handle __promisify__ type hack in the official Node types
                 agent,
diff --git a/test/integration/http2.spec.ts b/test/integration/http2.spec.ts
@@ -604,6 +604,47 @@ nodeOnly(() => {
                     await cleanup(proxiedClient, client);
                 });
 
+                it("can pass through HTTP/2 with duplicate single-value request headers", async function () {
+                    if (!nodeSatisfies(">=25.7.0")) this.skip();
+
+                    await server.forGet(`https://localhost:${targetPort}/`)
+                        .thenPassThrough({ ignoreHostHttpsErrors: ['localhost'] });
+
+                    const client = http2.connect(server.url);
+
+                    const req = client.request({
+                        ':method': 'CONNECT',
+                        ':authority': `localhost:${targetPort}`
+                    });
+
+                    // Initial response, the proxy has set up our tunnel:
+                    const responseHeaders = await getHttp2Response(req);
+                    expect(responseHeaders[':status']).to.equal(200);
+
+                    // We can now read/write to req as a raw TCP socket to our target server
+                    const proxiedClient = http2.connect(`https://localhost:${targetPort}`, {
+                         // Tunnel this request through the proxy stream
+                        createConnection: () => tls.connect({
+                            socket: req as any,
+                            ALPNProtocols: ['h2']
+                        }),
+                        // Allow the test client to send duplicate single-value headers:
+                        strictSingleValueFields: false
+                    } as any);
+
+                    const proxiedRequest = proxiedClient.request({
+                        ':path': '/',
+                        'user-agent': ['agent-1', 'agent-2'] as any
+                    });
+                    const proxiedResponse = await getHttp2Response(proxiedRequest);
+                    expect(proxiedResponse[':status']).to.equal(200);
+
+                    const responseBody = await getHttp2Body(proxiedRequest);
+                    expect(responseBody.toString('utf8')).to.equal("Real HTTP/2 response");
+
+                    await cleanup(proxiedClient, client);
+                });
+
             });
 
         });
