id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1014	RFC 7230 Compliance: Err 400 on space+colon for header field separator	regilero		"https://tools.ietf.org/html/rfc7230#section-3.2.4

> No whitespace is allowed between the header field-name and colon.  In
> the past, differences in the handling of such whitespace have led to
> security vulnerabilities in request routing and response handling.  A
> server MUST reject any received request message that contains
> whitespace between a header field-name and colon with a response code
> of 400 (Bad Request).  A proxy MUST remove any such whitespace from a
> response message before forwarding the message downstream.

Currently, sending such header, like:

{{{

    Dummy : header
         ^
         bad space
}}}

Nginx is not generating an err400. Nginx as a '''safe behavior''':
 - ignore the header value
 - does not transmit it when used as a reverse proxy

But that's not the official way: (...) A server '''MUST''' reject any received request message(...)

Easy test: 


{{{
# valid range header
printf 'GET / HTTP/1.1\r\n'\
'Host: nginx.org\r\n'\
'range: bytes=2-4\r\n''\r\n' | nc -q 3 95.211.80.227 80
# => 206 partial content

# invalid range header
printf 'GET / HTTP/1.1\r\n'\
'Host: nginx.org\r\n'\
'range : bytes=2-4\r\n''\r\n' | nc -q 3 95.211.80.227 80
# => 200 full response instead of 400
}}}
"	enhancement	closed	minor		other	1.11.x	fixed				1.11.1