Hello!
In the minimal example listed under “Routing DSL for HTTP servers” within the Akka HTTP documentation, an internal server error (HTTP response code 500) is triggered when an HTTP request is made with an unexpected value in the “Accept-Charset” header. This behavior can be replicated, for instance, using curl as follows:
curl http://localhost:8080/hello -H 'Accept-Charset: asd'
I tried this in Akka HTTP 10.5.2 and some earlier versions.
Based on the recommendations provided in the mdm web docs, I would expect the header to be ignored by default.
The current behavior becomes particularly problematic as malicious actors frequently try to inject code through this header; each attempt appears in my server logs.
I would appreciate a comment on this. Is there any global configuration option to prevent the header from being evaluated?