Glossary
Malformed Input

Malformed Input

These tests send pathological, oversized, or completely invalid payloads. The goal is not RFC compliance (there’s no RFC section for “what to do with binary garbage”) — it’s robustness. A well-implemented server should reject gracefully, not crash, hang, or consume unbounded resources.

Expected Behavior

  • Binary garbage / empty / incomplete: 400, close, or timeout — the server may not even recognize a request was attempted
  • Oversized fields: 400, 414 URI Too Long, 431 Request Header Fields Too Large, or close
  • Invalid bytes (NUL, control chars, non-ASCII): 400 or close
  • Integer overflow: 400 or close

Tests

BINARY-GARBAGE
Random non-HTTP bytes.
LONG-URL
100 KB URL.
LONG-HEADER-NAME
100 KB header name.
LONG-HEADER-VALUE
100 KB header value.
LONG-METHOD
100 KB method name.
MANY-HEADERS
10,000 headers.
NUL-IN-URL
NUL byte in request target.
CONTROL-CHARS-HEADER
Control characters in header value.
NON-ASCII-HEADER-NAME
Non-ASCII bytes in header name.
NON-ASCII-URL
Non-ASCII bytes in URL.
CL-OVERFLOW
Content-Length exceeding 64-bit range.
INCOMPLETE-REQUEST
Partial HTTP request.
EMPTY-REQUEST
Zero bytes sent.
WHITESPACE-ONLY-LINE
Only spaces/tabs, no method or URI.
NUL-IN-HEADER-VALUE
NUL byte in header value.
CHUNK-SIZE-OVERFLOW
Chunk size integer overflow.
H2-PREFACE
HTTP/2 preface sent to HTTP/1.1 server.
CHUNK-EXTENSION-LONG
100KB chunk extension value.
CL-EMPTY
Empty Content-Length value.

Unscored

CL-TAB-BEFORE-VALUE
Tab as OWS before Content-Length value.