Skip to content

Honor jdk.httpclient.allowRestrictedHeaders in Http2Client (#2975)#3419

Merged
velo merged 1 commit into
OpenFeign:masterfrom
seonwooj0810:fix/issue-2975-http2-allow-restricted-headers
Jun 17, 2026
Merged

Honor jdk.httpclient.allowRestrictedHeaders in Http2Client (#2975)#3419
velo merged 1 commit into
OpenFeign:masterfrom
seonwooj0810:fix/issue-2975-http2-allow-restricted-headers

Conversation

@seonwooj0810

Copy link
Copy Markdown
Contributor

Fixes #2975

Problem

The JDK HttpClient lets callers opt in to sending otherwise restricted headers (e.g. Host, Connection) by setting the jdk.httpclient.allowRestrictedHeaders system property. However Http2Client keeps its own hard-coded DISALLOWED_HEADERS_SET and strips those headers in filterRestrictedHeaders(...) before the request reaches the JDK client. As a result, even with -Djdk.httpclient.allowRestrictedHeaders=host the Host header is silently dropped and Feign sends the host derived from the URL instead.

Change

Http2Client now mirrors jdk.internal.net.http.common.Utils#getDisallowedHeaders(): any header listed (comma-separated) in the jdk.httpclient.allowRestrictedHeaders system property is removed from the disallowed set, so opting in at the JDK level is no longer defeated by Feign's own filter. Default behavior (property unset) is unchanged — all of connection, content-length, expect, host, upgrade remain filtered.

The header-set construction was extracted into a package-private disallowedHeaders(String) method to keep it pure and unit-testable.

Test evidence

Added Http2ClientHeadersTest covering the default set, single-header opt-in, and multi-header/case-insensitive/whitespace handling:

./mvnw -pl java11 -am test -Dtest=Http2ClientHeadersTest
Tests run: 3, Failures: 0, Errors: 0, Skipped: 0
BUILD SUCCESS

Code format validated via git-code-format-maven-plugin:validate-code-format (BUILD SUCCESS).

Verification done: confirmed bug pattern still on master (static DISALLOWED_HEADERS_SET strips headers unconditionally); no in-flight PR or linked branch for #2975; no self-claim in thread (maintainer invited a PR with tests on 2026-06-04); change is code-only in .java; commit carries DCO sign-off.

…#2975)

The new Java HttpClient lets callers opt in to setting otherwise
restricted headers (such as Host) via the
jdk.httpclient.allowRestrictedHeaders system property. Http2Client kept
its own static DISALLOWED_HEADERS_SET and stripped those headers before
handing the request to the JDK client, so the opt-in had no effect and
the header was silently dropped.

Mirror jdk.internal.net.http.common.Utils#getDisallowedHeaders() by
removing any headers listed in the property from the disallowed set.

Signed-off-by: seonwoo_jung <79202163+seonwooj0810@users.noreply.github.com>

@velo velo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a clean fix for the Http2Client restricted-header filtering. The new tests cover the default restricted set and the opt-in system property behavior, and the change stays internal to the Java 11 client without compatibility or security concerns.

@velo velo merged commit 39c4f41 into OpenFeign:master Jun 17, 2026
3 checks passed
@velo velo mentioned this pull request Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Http2Client doesn't allow setting Host header (or others restricted by default)

2 participants