Supporting HTTP/2: HTTP/1.1 must die

[JLLeitschuh]

At BlackHat & DEF CON 33, James Kettle detailed that HTTP/1.1 contains fundamental desynchronization security vulnerabilities that researchers keep finding and will continue to find due to the poorly defined boundaries between requests. In that research, bug bounty hunters found $300k+ worth of bounties due to a novel HTTP Request Splitting vulnerability.

This research is summarized here: https://http1mustdie.com/

James believes that there will continue to be new, and noverl HTTP request smuggling vulnerabilities due to the fundamental insecure nature of HTTP/1.1.

His proposed mitigation is to encourage all backing servers to support HTTP/2.

I know that a ticket on this topic #5462, however given that this research is new, and situationally relevant to express, it seems like it was appropriate to create a new issue.

[bjohansebas]

I understand, but that still doesn’t fall under Express’ responsibilities. Express is just a wrapper to make it easier to create servers with Node.js, and we won’t stop supporting HTTP/1.1 (I’m not speaking on behalf of the team here). We haven’t achieved HTTP/2 yet, and QUIC is not yet available in Node.js.

In the end, this would be more of a Node.js problem, but I don’t think they can do much about it either.

[SheldonWBM]

Using middlewares such as http2-express or spdy, has anyone implemented HTTP/2 on Express 5.x with Node 24.x?
I have the following error when I attempt it

node:events:486
      throw er; // Unhandled 'error' event
      ^

TypeError: Cannot read properties of undefined (reading 'readable')
    at IncomingMessage._read (node:_http_incoming:211:19)
    at Readable.read (node:internal/streams/readable:737:12)
    at resume_ (node:internal/streams/readable:1260:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
Emitted 'error' event on IncomingMessage instance at:
    at emitErrorNT (node:internal/streams/destroy:170:8)
    at errorOrDestroy (node:internal/streams/destroy:239:7)
    at Readable.read (node:internal/streams/readable:739:7)
    at resume_ (node:internal/streams/readable:1260:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)

Node.js v24.7.0

If Express does not officially support it, assume middleware is doing a translation to http/1.1. Is there still a real-world performance benefit?

Note: The below works without middleware but seems like a hack

// Handle HTTP/2 streams manually for Express compatibility
server.on('stream', (stream, headers) => {
  let headersSent = false;
  let statusCode = 200;
  let statusMessage = 'OK';
  const responseHeaders: Record<string, string | string[]> = {};

  // Create request object
  const req = {
    ...stream,
    // Add connection information that Express expects
    connection: {
      encrypted: true,
      localAddress: stream.session?.socket?.localAddress || '127.0.0.1',
      localPort: stream.session?.socket?.localPort || 0,
      remoteAddress: stream.session?.socket?.remoteAddress || '127.0.0.1',
      remotePort: stream.session?.socket?.remotePort || 0,
    },

    emit: stream.emit.bind(stream),

    headers: headers,

    httpVersion: '2.0',

    httpVersionMajor: 2,

    httpVersionMinor: 0,

    method: headers[':method'],

    // Proxy other needed stream properties
    on: stream.on.bind(stream),

    once: stream.once.bind(stream),

    pipe: stream.pipe.bind(stream),

    read: stream.read.bind(stream),

    readable: stream.readable,

    readableEnded: stream.readableEnded,

    // Add socket information
    socket: {
      encrypted: true,
      localAddress: stream.session?.socket?.localAddress || '127.0.0.1',
      localPort: stream.session?.socket?.localPort || 0,
      remoteAddress: stream.session?.socket?.remoteAddress || '127.0.0.1',
      remotePort: stream.session?.socket?.remotePort || 0,
    },

    url: headers[':path'],
  };

  // Create response object
  const res = {
    emit: stream.emit.bind(stream),

    end(data?: any, encoding?: any) {
      if (!headersSent) {
        this.writeHead(statusCode);
      }
      if (data) {
        stream.write(data, encoding);
      }
      stream.end();
      return this;
    },

    getHeader(name: string) {
      return responseHeaders[name.toLowerCase()];
    },

    get headersSent() {
      return headersSent;
    },

    json(obj: any) {
      this.setHeader('Content-Type', 'application/json');
      return this.end(JSON.stringify(obj));
    },

    // Proxy other needed stream methods
    on: stream.on.bind(stream),

    once: stream.once.bind(stream),

    removeHeader(name: string) {
      if (headersSent) return this;
      delete responseHeaders[name.toLowerCase()];
      return this;
    },

    send(body: any) {
      if (typeof body === 'object' && body !== null) {
        return this.json(body);
      }
      return this.end(body);
    },

    setHeader(name: string, value: string | string[]) {
      if (headersSent) return this;
      responseHeaders[name.toLowerCase()] = value;
      return this;
    },

    status(code: number) {
      statusCode = code;
      this.statusCode = code;
      return this;
    },

    // Express response properties
    statusCode,

    statusMessage,

    // Copy non-conflicting properties from stream
    writable: stream.writable,

    writableEnded: stream.writableEnded,
    write(chunk: any, encoding?: any) {
      if (!headersSent) {
        this.writeHead(statusCode);
      }
      return stream.write(chunk, encoding);
    },
    writeHead(code: number, message?: string | any, headers?: any) {
      if (headersSent) return this;

      if (typeof message === 'object') {
        headers = message;
        message = undefined;
      }

      statusCode = code;
      if (message) statusMessage = message;

      const finalHeaders: any = {
        ':status': statusCode,
        ...responseHeaders,
        ...headers,
      };

      try {
        stream.respond(finalHeaders);
        headersSent = true;
      } catch (err) {
        // Stream might already be closed
      }
      return this;
    },
  };

  // Pass to Express app
  app(req as any, res as any);
});