Skip to content

fix: HTTP/1.1 protocol flag now properly disables HTTP/2 fallback (#2240)#2412

Closed
MrLawrenceKwan wants to merge 7 commits intoprojectdiscovery:mainfrom
MrLawrenceKwan:fix-http11-protocol-issue-2240
Closed

fix: HTTP/1.1 protocol flag now properly disables HTTP/2 fallback (#2240)#2412
MrLawrenceKwan wants to merge 7 commits intoprojectdiscovery:mainfrom
MrLawrenceKwan:fix-http11-protocol-issue-2240

Conversation

@MrLawrenceKwan
Copy link

@MrLawrenceKwan MrLawrenceKwan commented Feb 20, 2026

Description

Fixes #2240

This PR addresses the issue where the -pr http11 flag was being ignored due to retryablehttp-go's automatic HTTP/2 fallback behavior.

Problem

When using httpx -pr http11, users expected strict HTTP/1.1 usage. However, retryablehttp-go would automatically fallback to HTTP/2 when encountering certain errors (malformed HTTP version errors), effectively ignoring the user's protocol preference.

Solution

  1. Added DisableHTTP2Fallback option to retryablehttp-go: This option allows clients to disable the automatic HTTP/2 fallback behavior.

  2. Updated httpx to use the new option: When Protocol is set to http11, httpx now sets DisableHTTP2Fallback = true in the retryablehttp client options.

  3. Added comprehensive tests: New tests verify that the HTTP/1.1 protocol enforcement works correctly.

Changes

  • Modified common/httpx/httpx.go to enable DisableHTTP2Fallback when Protocol == "http11"
  • Updated go.mod to use forked retryablehttp-go with the new option (temporary, pending upstream merge)
  • Added TestHTTP11ProtocolEnforcement test suite

Testing

go test ./common/httpx -v -run TestHTTP11ProtocolEnforcement

All tests pass successfully.

Related PRs

Note

This PR currently uses a forked version of retryablehttp-go. Once the upstream retryablehttp-go accepts the DisableHTTP2Fallback option, the go.mod should be updated to use the official version.

dependabot bot and others added 7 commits January 26, 2026 19:50
@dependabot
chore(deps): bump the modules group with 5 updates (projectdiscovery#…
12e3624 
…2383)

Bumps the modules group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/projectdiscovery/cdncheck](https://github.com/projectdiscovery/cdncheck) | `1.2.19` | `1.2.20` |
| [github.com/projectdiscovery/networkpolicy](https://github.com/projectdiscovery/networkpolicy) | `0.1.33` | `0.1.34` |
| [github.com/projectdiscovery/retryablehttp-go](https://github.com/projectdiscovery/retryablehttp-go) | `1.3.4` | `1.3.5` |
| [github.com/projectdiscovery/useragent](https://github.com/projectdiscovery/useragent) | `0.0.106` | `0.0.107` |
| [github.com/projectdiscovery/wappalyzergo](https://github.com/projectdiscovery/wappalyzergo) | `0.2.64` | `0.2.65` |


Updates `github.com/projectdiscovery/cdncheck` from 1.2.19 to 1.2.20
- [Release notes](https://github.com/projectdiscovery/cdncheck/releases)
- [Commits](projectdiscovery/cdncheck@v1.2.19...v1.2.20)

Updates `github.com/projectdiscovery/networkpolicy` from 0.1.33 to 0.1.34
- [Release notes](https://github.com/projectdiscovery/networkpolicy/releases)
- [Commits](projectdiscovery/networkpolicy@v0.1.33...v0.1.34)

Updates `github.com/projectdiscovery/retryablehttp-go` from 1.3.4 to 1.3.5
- [Release notes](https://github.com/projectdiscovery/retryablehttp-go/releases)
- [Commits](projectdiscovery/retryablehttp-go@v1.3.4...v1.3.5)

Updates `github.com/projectdiscovery/useragent` from 0.0.106 to 0.0.107
- [Release notes](https://github.com/projectdiscovery/useragent/releases)
- [Commits](projectdiscovery/useragent@v0.0.106...v0.0.107)

Updates `github.com/projectdiscovery/wappalyzergo` from 0.2.64 to 0.2.65
- [Release notes](https://github.com/projectdiscovery/wappalyzergo/releases)
- [Commits](projectdiscovery/wappalyzergo@v0.2.64...v0.2.65)

---
updated-dependencies:
- dependency-name: github.com/projectdiscovery/cdncheck
  dependency-version: 1.2.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/networkpolicy
  dependency-version: 0.1.34
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/retryablehttp-go
  dependency-version: 1.3.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/useragent
  dependency-version: 0.0.107
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/wappalyzergo
  dependency-version: 0.2.65
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore(deps): bump the modules group with 7 updates
9c43bac 
Bumps the modules group with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/projectdiscovery/cdncheck](https://github.com/projectdiscovery/cdncheck) | `1.2.20` | `1.2.21` |
| [github.com/projectdiscovery/dsl](https://github.com/projectdiscovery/dsl) | `0.8.12` | `0.8.13` |
| [github.com/projectdiscovery/fastdialer](https://github.com/projectdiscovery/fastdialer) | `0.5.3` | `0.5.4` |
| [github.com/projectdiscovery/gologger](https://github.com/projectdiscovery/gologger) | `1.1.67` | `1.1.68` |
| [github.com/projectdiscovery/hmap](https://github.com/projectdiscovery/hmap) | `0.0.99` | `0.0.100` |
| [github.com/projectdiscovery/retryablehttp-go](https://github.com/projectdiscovery/retryablehttp-go) | `1.3.5` | `1.3.6` |
| [github.com/projectdiscovery/wappalyzergo](https://github.com/projectdiscovery/wappalyzergo) | `0.2.65` | `0.2.66` |


Updates `github.com/projectdiscovery/cdncheck` from 1.2.20 to 1.2.21
- [Release notes](https://github.com/projectdiscovery/cdncheck/releases)
- [Commits](projectdiscovery/cdncheck@v1.2.20...v1.2.21)

Updates `github.com/projectdiscovery/dsl` from 0.8.12 to 0.8.13
- [Release notes](https://github.com/projectdiscovery/dsl/releases)
- [Commits](projectdiscovery/dsl@v0.8.12...v0.8.13)

Updates `github.com/projectdiscovery/fastdialer` from 0.5.3 to 0.5.4
- [Release notes](https://github.com/projectdiscovery/fastdialer/releases)
- [Commits](projectdiscovery/fastdialer@v0.5.3...v0.5.4)

Updates `github.com/projectdiscovery/gologger` from 1.1.67 to 1.1.68
- [Release notes](https://github.com/projectdiscovery/gologger/releases)
- [Commits](projectdiscovery/gologger@v1.1.67...v1.1.68)

Updates `github.com/projectdiscovery/hmap` from 0.0.99 to 0.0.100
- [Release notes](https://github.com/projectdiscovery/hmap/releases)
- [Commits](projectdiscovery/hmap@v0.0.99...v0.0.100)

Updates `github.com/projectdiscovery/retryablehttp-go` from 1.3.5 to 1.3.6
- [Release notes](https://github.com/projectdiscovery/retryablehttp-go/releases)
- [Commits](projectdiscovery/retryablehttp-go@v1.3.5...v1.3.6)

Updates `github.com/projectdiscovery/wappalyzergo` from 0.2.65 to 0.2.66
- [Release notes](https://github.com/projectdiscovery/wappalyzergo/releases)
- [Commits](projectdiscovery/wappalyzergo@v0.2.65...v0.2.66)

---
updated-dependencies:
- dependency-name: github.com/projectdiscovery/cdncheck
  dependency-version: 1.2.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/dsl
  dependency-version: 0.8.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/fastdialer
  dependency-version: 0.5.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/gologger
  dependency-version: 1.1.68
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/hmap
  dependency-version: 0.0.100
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/retryablehttp-go
  dependency-version: 1.3.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/wappalyzergo
  dependency-version: 0.2.66
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dogancanbakir
chore: add pull request template
374fcd1
fix: prevent data loss on interrupt by implementing graceful shutdown
fa95023
@Mzack9999
Merge pull request projectdiscovery#2386 from projectdiscovery/depend…
d54cb54 
…abot/go_modules/dev/modules-60805faa73

chore(deps): bump the modules group with 7 updates
@dogancanbakir
Merge pull request projectdiscovery#2393 from assakafpix/fix/resume-l…
1a11e4c 
…ost-targets

fix: prevent data loss on interrupt by implementing graceful shutdown
@LawrenceKwan
fix: HTTP/1.1 protocol flag now properly disables HTTP/2 fallback
dd5be6f 
Fixes projectdiscovery#2240

When using the -pr http11 flag, httpx now properly disables the HTTP/2
fallback in retryablehttp-go by setting the DisableHTTP2Fallback option.

Previously, even when HTTP/1.1 was explicitly requested, retryablehttp-go
would automatically fallback to HTTP/2 on certain errors, ignoring the
user's protocol preference.

Changes:
- Enable DisableHTTP2Fallback in retryablehttp-go when Protocol is set to http11
- Update go.mod to use forked retryablehttp-go with the new option
- Add comprehensive tests for HTTP/1.1 protocol enforcement

This ensures that when users specify -pr http11, the client will strictly
use HTTP/1.1 and handle errors according to the retry policy rather than
silently switching to HTTP/2.
@auto-assign auto-assign bot requested a review from dogancanbakir February 20, 2026 03:35
@coderabbitai
Copy link

coderabbitai bot commented Feb 20, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@Mzack9999
Copy link
Member

Mzack9999 commented Mar 19, 2026

This issue has been resolved by merging #2424. This PR is significantly over-scoped — it adds a PR template file, restructures the signal handler in cmd/httpx/httpx.go, and makes changes across multiple packages, none of which are related to the HTTPClient2 fallback that causes the bug. The correct fix is a focused 5-line change that overrides HTTPClient2 when -pr http11 is set. Closing as superseded.

@Mzack9999 Mzack9999 closed this Mar 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dogancanbakir dogancanbakir Awaiting requested review from dogancanbakir

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@MrLawrenceKwan @Mzack9999 @dogancanbakir @LawrenceKwan