https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #17 from Greg Turnquist <greg.l.turnqu...@gmail.com> --- I tend to lean towards security experts (like OWASP) that indicate it's preferable to reduce information leakage, rather than simply asserting there is no real world risk here. The rest of the industry has headed towards reducing information leakage (see Jetty, Undertow, etc.) While "everyone else is doing it" isn't an argument, observing an industry migration that is backed up by cited security experts IS an argument in favor of such a change. On a personal note, it's interesting that we're not concerned about 27 bytes because it's nothing, but some ARE concerned about the cycles spent to generate those 27 bytes. I don't think resource consumption is the focal point of this request, being premature optimization. I would favor upholding RFCs behind servlets as well as HTTP headers alongside industry-driven security recommendations, and save optimization only for AFTER that has been met. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
