The web server must terminate the connection if server-level exceptions are triggered when handling requests to prevent HTTP request smuggling attacks.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-264365	SRG-APP-000251	SRG-APP-000251-WSR-000195	SV-264365r984440_rule	2025-02-12	4

Description
The web server defines a set of exceptions for every HTTP status code. Each exception class has a status code according to RFC 2068: Codes with 100-300 are not really errors; 400s are client errors, and 500s are server errors. If not directly specified, headers will be added to the default response headers. In the event of an anomaly or exception during the processing of requests, it is safer to terminate the connection to prevent malformed requests from exploiting potential protocol vulnerabilities.

Description

The web server defines a set of exceptions for every HTTP status code. Each exception class has a status code according to RFC 2068: Codes with 100-300 are not really errors; 400s are client errors, and 500s are server errors. If not directly specified, headers will be added to the default response headers. In the event of an anomaly or exception during the processing of requests, it is safer to terminate the connection to prevent malformed requests from exploiting potential protocol vulnerabilities.

ℹ️ Check
Verify the web server terminates the connection if server-level exceptions are triggered when handling requests. If the web server does not terminate the connection if server-level exceptions are triggered when handling requests, this is a finding.

✔️ Fix
Configure web server to terminate the connection if server-level exceptions are triggered when handling requests to prevent HTTP request smuggling attacks.