HTTP/2 server now accepts client priority signals, as defined in RFC 9218,
allowing it to prioritize serving HTTP/2 streams with higher priority. If the
old behavior is preferred, where streams are served in a round-robin manner

In that case **this attack / risk doesn't apply to you**.

This risk and attack is mainly relevant when the app runs on the **local network** and that is the **only assumed protection**.

## Allowing Requests Without Content-Type { #allowing-requests-without-content-type }

If you need to support clients that don't send a `Content-Type` header, you can disable strict checking by setting `strict_content_type=False`:

programs, this change should be a no-op, or result in a performance improvement.
In rare cases, programs that do not benefit from connection reuse might
experience performance degradation if they had been improperly allowing an
excessive amount of idle connections to linger; usually by setting
[Transport.MaxIdleConns] to `0` or using different [Client]s for different
requests, thereby bypassing [Transport.MaxIdleConns] limit. In these cases,

 * It contains various attributes related to the crawler's state, configuration, and runtime data.
 * This class provides methods to access and modify these attributes, allowing for control and monitoring
 * of the crawler's behavior.
 *
 * <p>
 * The context includes information such as the session ID, active thread count, access count, crawler status,

# Added GE support maven support to the maven build in .teamcity, per the GE docs, this dir is NOT to be committed
.teamcity/.mvn/.develocity/
/discoclient.properties

# Ignore local configuration files for asdf, allowing the JDK to be configured for project (https://asdf-vm.com)
.tool-versions

# AI 
# ---
.claude/CLAUDE.local.md
.claude/settings.local.json

import jakarta.annotation.PostConstruct;

/**
 * Helper class for managing duplicate host configurations in the Fess search system.
 * This class handles URL conversion based on duplicate host rules, allowing multiple
 * hostnames or URLs to be treated as equivalent for crawling and indexing purposes.
 * It maintains a list of DuplicateHost rules and applies them to URLs.
 *
 */
public class DuplicateHostHelper {

    /** Configuration key for allowing localhost authentication bypass. */
    protected static final String SPNEGO_ALLOW_LOCALHOST = "spnego.allow.localhost";

    /** Configuration key for prompting NTLM authentication. */
    protected static final String SPNEGO_PROMPT_NTLM = "spnego.prompt.ntlm";

    /** Configuration key for allowing unsecure basic authentication. */

This policy protects our limited review budget, allowing us to invest our attention wisely.

Embedding a Java runtime in the distribution would provide some benefits, such as allowing the Launcher, Daemon and Workers to run on it, removing the prerequisite of an installed Java runtime.
However, this does not fully remove the prerequisite, as the Wrapper itself would still need an installed Java runtime to execute.

如果你的应用部署在开放的互联网，你不会“信任网络”，也不会允许任何人不经认证就发送特权请求。

攻击者完全可以直接运行脚本向你的 API 发送请求，无需借助浏览器交互，因此你很可能已经对任何特权端点做好了安全防护。

在这种情况下，以上攻击/风险不适用于你。

该风险/攻击主要发生在应用运行于本地网络、且“仅依赖网络隔离作为保护”的场景。

## 允许无 Content-Type 的请求 { #allowing-requests-without-content-type }

如果你需要兼容不发送 `Content-Type` 头的客户端，可以通过设置 `strict_content_type=False` 来关闭严格检查：

{* ../../docs_src/strict_content_type/tutorial001_py310.py hl[4] *}