HTTP/1.1 Must Die: Why This 6-Year-Old Vulnerability Is Still a Major Threat
Six years ago, researchers at PortSwigger first identified a fundamental flaw in the HTTP/1.1 protocol—one that enables HTTP Request Smuggling attacks. Despite being publicly known since 2019, the vulnerability remains unresolved and continues to pose a serious threat: attackers can manipulate or inject requests at the infrastructure level, gaining access to sensitive data and control over web applications.
The danger lies in a core weakness of HTTP/1.1—its architecture permits ambiguity in determining the boundaries between consecutive requests. Attackers exploit this by crafting payloads that servers and proxies interpret differently. In practice, this means a malicious request can be “hidden” within a legitimate one, bypass security checks, and trigger actions chosen by the attacker. Such attacks are particularly potent when routed through CDNs and reverse proxies, where discrepancies in request handling logic are especially pronounced.
PortSwigger stresses that despite extensive defensive measures undertaken since the vulnerability’s initial disclosure in 2019, the problem remains acute. Over the past six years, dozens of mitigations have been deployed, yet none have eliminated the possibility of exploitation. Recent tests show that even major CDN providers still exhibit request desynchronization when HTTP/1.1 is used between a proxy and the origin server.
Particularly troubling is that migration to HTTP/2— the modern protocol version that eliminates this request-structure ambiguity—often proves incomplete. Many organizations enable HTTP/2 only at the edge, while retaining HTTP/1.1 for communication between proxies and origin servers, leaving a persistent point of entry for attacks. It is precisely in this internal layer that the greatest risk resides.
In response to the continued neglect of the issue, PortSwigger has launched a bluntly named campaign: “HTTP/1.1 Must Die.” The researchers call for the unconditional retirement of the outdated protocol, warning that if HTTP/1.1 exists anywhere in the infrastructure, the risk of total application compromise remains.
Their recommendations include enabling HTTP/2 support at all layers—including internal connections—activating request validation and normalization mechanisms on the client side, and disabling connection reuse between infrastructure components. Where full migration is not yet feasible, developers are advised to regularly scan their systems using open-source tools such as HTTP Request Smuggler 3.0 and HTTP Hacker, both designed to detect these vulnerabilities.
The findings once again challenge the resilience of today’s web ecosystem, where millions of sites—from personal blogs to Fortune 500 infrastructure—still rely on an unsafe protocol. And while HTTP/2 and HTTP/3 offer secure alternatives, the slow pace of migration renders every unpatched weakness a potential catastrophe.
