Strip body and Content-Length from 204/304 responses (RFC 9112)#3493
Open
daniel7an wants to merge 1 commit intobenoitc:masterfrom
Open
Strip body and Content-Length from 204/304 responses (RFC 9112)#3493daniel7an wants to merge 1 commit intobenoitc:masterfrom
daniel7an wants to merge 1 commit intobenoitc:masterfrom
Conversation
Per RFC 9112 Section 6.3, responses with status codes 204 and 304 must not contain a message body. This commit: - Strips Content-Length header during response header processing for 204 and 304 status codes - Silently discards any body data written for these status codes - Adds tests verifying the behavior for 204, 304, and normal 200 Fixes benoitc#3413
pajod
reviewed
Feb 11, 2026
| if lname == "content-length": | ||
| # RFC 9112 6.3: 1xx, 204, and 304 responses must not | ||
| # contain a message body, so Content-Length is stripped. | ||
| if self.status_code in (204, 304): |
Contributor
There was a problem hiding this comment.
Excessive. Content-Length for 304 responses is perfectly reasonable.. it expresses the (potentially non-zero) size as usual, it is merely not to be used for determining message framing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Per RFC 9112 Section 6.3, responses with status codes 204 and 304 must not contain a message body, and
Content-Lengthshould be absent.Currently, Gunicorn forwards 204/304 responses as-is from the WSGI app, including any body and
Content-Lengthheader. This can cause issues with downstream proxies (e.g., AWS ALB returning 502).Changes
gunicorn/http/wsgi.py: StripContent-Lengthheader duringprocess_headers()for 204/304 responses. Silently discard body data inwrite()for these status codes.tests/test_http.py: Added tests for 204, 304 (Content-Length stripped, body discarded) and 200 (normal behavior preserved).Behavior
Other frameworks (Flask, FastAPI, Express, Spring) already enforce this behavior.
Fixes #3413