Missing option between Strict and Defensive #14
Description
I think it would be very valuable for people to have an option to choose something between strict and defensive, the below makes the most sense in balancing security versus non-breaking changes for larger and more complex environments.
Right now defensive mode is letting some http desync succeed in reaching backend servers for which I've already consulted AWS about, they said our options are to go to strict which is not possible after reviewing logs and seeing how many would be in the Ambiguous category still, including those that are succeeding in causing http desync situations that are exploitable.
Current:
| Classification | Defensive mode | Strictest mode |
|---|---|---|
| Compliant | Allowed | Allowed |
| Acceptable | Allowed | Blocked |
| Ambiguous | Allowed¹ | Blocked |
| Severe | Blocked | Blocked |
Proposed:
| Classification | Defensive mode | Strictest mode | New Mode |
|---|---|---|---|
| Compliant | Allowed | Allowed | Allowed |
| Acceptable | Allowed | Blocked | Allowed |
| Ambiguous | Allowed¹ | Blocked | Blocked |
| Severe | Blocked | Blocked | Blocked |