Skip to content

Comments

fix: HTTP/1.1 protocol flag now properly disables HTTP/2 fallback (#2240)#2412

Open
MrLawrenceKwan wants to merge 7 commits intoprojectdiscovery:mainfrom
MrLawrenceKwan:fix-http11-protocol-issue-2240
Open

fix: HTTP/1.1 protocol flag now properly disables HTTP/2 fallback (#2240)#2412
MrLawrenceKwan wants to merge 7 commits intoprojectdiscovery:mainfrom
MrLawrenceKwan:fix-http11-protocol-issue-2240

Conversation

@MrLawrenceKwan
Copy link

@MrLawrenceKwan MrLawrenceKwan commented Feb 20, 2026

Description

Fixes #2240

This PR addresses the issue where the -pr http11 flag was being ignored due to retryablehttp-go's automatic HTTP/2 fallback behavior.

Problem

When using httpx -pr http11, users expected strict HTTP/1.1 usage. However, retryablehttp-go would automatically fallback to HTTP/2 when encountering certain errors (malformed HTTP version errors), effectively ignoring the user's protocol preference.

Solution

  1. Added DisableHTTP2Fallback option to retryablehttp-go: This option allows clients to disable the automatic HTTP/2 fallback behavior.

  2. Updated httpx to use the new option: When Protocol is set to http11, httpx now sets DisableHTTP2Fallback = true in the retryablehttp client options.

  3. Added comprehensive tests: New tests verify that the HTTP/1.1 protocol enforcement works correctly.

Changes

  • Modified common/httpx/httpx.go to enable DisableHTTP2Fallback when Protocol == "http11"
  • Updated go.mod to use forked retryablehttp-go with the new option (temporary, pending upstream merge)
  • Added TestHTTP11ProtocolEnforcement test suite

Testing

go test ./common/httpx -v -run TestHTTP11ProtocolEnforcement

All tests pass successfully.

Related PRs

Note

This PR currently uses a forked version of retryablehttp-go. Once the upstream retryablehttp-go accepts the DisableHTTP2Fallback option, the go.mod should be updated to use the official version.

dependabot bot and others added 7 commits January 26, 2026 19:50
@dependabot
chore(deps): bump the modules group with 5 updates (projectdiscovery#…
12e3624 
…2383)

Bumps the modules group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/projectdiscovery/cdncheck](https://github.com/projectdiscovery/cdncheck) | `1.2.19` | `1.2.20` |
| [github.com/projectdiscovery/networkpolicy](https://github.com/projectdiscovery/networkpolicy) | `0.1.33` | `0.1.34` |
| [github.com/projectdiscovery/retryablehttp-go](https://github.com/projectdiscovery/retryablehttp-go) | `1.3.4` | `1.3.5` |
| [github.com/projectdiscovery/useragent](https://github.com/projectdiscovery/useragent) | `0.0.106` | `0.0.107` |
| [github.com/projectdiscovery/wappalyzergo](https://github.com/projectdiscovery/wappalyzergo) | `0.2.64` | `0.2.65` |


Updates `github.com/projectdiscovery/cdncheck` from 1.2.19 to 1.2.20
- [Release notes](https://github.com/projectdiscovery/cdncheck/releases)
- [Commits](projectdiscovery/cdncheck@v1.2.19...v1.2.20)

Updates `github.com/projectdiscovery/networkpolicy` from 0.1.33 to 0.1.34
- [Release notes](https://github.com/projectdiscovery/networkpolicy/releases)
- [Commits](projectdiscovery/networkpolicy@v0.1.33...v0.1.34)

Updates `github.com/projectdiscovery/retryablehttp-go` from 1.3.4 to 1.3.5
- [Release notes](https://github.com/projectdiscovery/retryablehttp-go/releases)
- [Commits](projectdiscovery/retryablehttp-go@v1.3.4...v1.3.5)

Updates `github.com/projectdiscovery/useragent` from 0.0.106 to 0.0.107
- [Release notes](https://github.com/projectdiscovery/useragent/releases)
- [Commits](projectdiscovery/useragent@v0.0.106...v0.0.107)

Updates `github.com/projectdiscovery/wappalyzergo` from 0.2.64 to 0.2.65
- [Release notes](https://github.com/projectdiscovery/wappalyzergo/releases)
- [Commits](projectdiscovery/wappalyzergo@v0.2.64...v0.2.65)

---
updated-dependencies:
- dependency-name: github.com/projectdiscovery/cdncheck
  dependency-version: 1.2.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/networkpolicy
  dependency-version: 0.1.34
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/retryablehttp-go
  dependency-version: 1.3.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/useragent
  dependency-version: 0.0.107
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/wappalyzergo
  dependency-version: 0.2.65
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore(deps): bump the modules group with 7 updates
9c43bac 
Bumps the modules group with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/projectdiscovery/cdncheck](https://github.com/projectdiscovery/cdncheck) | `1.2.20` | `1.2.21` |
| [github.com/projectdiscovery/dsl](https://github.com/projectdiscovery/dsl) | `0.8.12` | `0.8.13` |
| [github.com/projectdiscovery/fastdialer](https://github.com/projectdiscovery/fastdialer) | `0.5.3` | `0.5.4` |
| [github.com/projectdiscovery/gologger](https://github.com/projectdiscovery/gologger) | `1.1.67` | `1.1.68` |
| [github.com/projectdiscovery/hmap](https://github.com/projectdiscovery/hmap) | `0.0.99` | `0.0.100` |
| [github.com/projectdiscovery/retryablehttp-go](https://github.com/projectdiscovery/retryablehttp-go) | `1.3.5` | `1.3.6` |
| [github.com/projectdiscovery/wappalyzergo](https://github.com/projectdiscovery/wappalyzergo) | `0.2.65` | `0.2.66` |


Updates `github.com/projectdiscovery/cdncheck` from 1.2.20 to 1.2.21
- [Release notes](https://github.com/projectdiscovery/cdncheck/releases)
- [Commits](projectdiscovery/cdncheck@v1.2.20...v1.2.21)

Updates `github.com/projectdiscovery/dsl` from 0.8.12 to 0.8.13
- [Release notes](https://github.com/projectdiscovery/dsl/releases)
- [Commits](projectdiscovery/dsl@v0.8.12...v0.8.13)

Updates `github.com/projectdiscovery/fastdialer` from 0.5.3 to 0.5.4
- [Release notes](https://github.com/projectdiscovery/fastdialer/releases)
- [Commits](projectdiscovery/fastdialer@v0.5.3...v0.5.4)

Updates `github.com/projectdiscovery/gologger` from 1.1.67 to 1.1.68
- [Release notes](https://github.com/projectdiscovery/gologger/releases)
- [Commits](projectdiscovery/gologger@v1.1.67...v1.1.68)

Updates `github.com/projectdiscovery/hmap` from 0.0.99 to 0.0.100
- [Release notes](https://github.com/projectdiscovery/hmap/releases)
- [Commits](projectdiscovery/hmap@v0.0.99...v0.0.100)

Updates `github.com/projectdiscovery/retryablehttp-go` from 1.3.5 to 1.3.6
- [Release notes](https://github.com/projectdiscovery/retryablehttp-go/releases)
- [Commits](projectdiscovery/retryablehttp-go@v1.3.5...v1.3.6)

Updates `github.com/projectdiscovery/wappalyzergo` from 0.2.65 to 0.2.66
- [Release notes](https://github.com/projectdiscovery/wappalyzergo/releases)
- [Commits](projectdiscovery/wappalyzergo@v0.2.65...v0.2.66)

---
updated-dependencies:
- dependency-name: github.com/projectdiscovery/cdncheck
  dependency-version: 1.2.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/dsl
  dependency-version: 0.8.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/fastdialer
  dependency-version: 0.5.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/gologger
  dependency-version: 1.1.68
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/hmap
  dependency-version: 0.0.100
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/retryablehttp-go
  dependency-version: 1.3.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/wappalyzergo
  dependency-version: 0.2.66
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dogancanbakir
chore: add pull request template
374fcd1
fix: prevent data loss on interrupt by implementing graceful shutdown
fa95023
@Mzack9999
Merge pull request projectdiscovery#2386 from projectdiscovery/depend…
d54cb54 
…abot/go_modules/dev/modules-60805faa73

chore(deps): bump the modules group with 7 updates
@dogancanbakir
Merge pull request projectdiscovery#2393 from assakafpix/fix/resume-l…
1a11e4c 
…ost-targets

fix: prevent data loss on interrupt by implementing graceful shutdown
@LawrenceKwan
fix: HTTP/1.1 protocol flag now properly disables HTTP/2 fallback
dd5be6f 
Fixes projectdiscovery#2240

When using the -pr http11 flag, httpx now properly disables the HTTP/2
fallback in retryablehttp-go by setting the DisableHTTP2Fallback option.

Previously, even when HTTP/1.1 was explicitly requested, retryablehttp-go
would automatically fallback to HTTP/2 on certain errors, ignoring the
user's protocol preference.

Changes:
- Enable DisableHTTP2Fallback in retryablehttp-go when Protocol is set to http11
- Update go.mod to use forked retryablehttp-go with the new option
- Add comprehensive tests for HTTP/1.1 protocol enforcement

This ensures that when users specify -pr http11, the client will strictly
use HTTP/1.1 and handle errors according to the retry policy rather than
silently switching to HTTP/2.
@auto-assign auto-assign bot requested a review from dogancanbakir February 20, 2026 03:35
@coderabbitai
Copy link

coderabbitai bot commented Feb 20, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dogancanbakir dogancanbakir Awaiting requested review from dogancanbakir

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@MrLawrenceKwan @dogancanbakir @Mzack9999 @LawrenceKwan