diff --git a/docs/content/compliance/_index.md b/docs/content/compliance/_index.md index 9803dbd..e644df9 100644 --- a/docs/content/compliance/_index.md +++ b/docs/content/compliance/_index.md @@ -28,7 +28,7 @@ Each test sends a request that violates a specific **MUST** or **MUST NOT** requ 'RFC9112-3-MULTI-SP-REQUEST-LINE','RFC9112-3-MISSING-TARGET', 'RFC9112-3.2-FRAGMENT-IN-TARGET','RFC9112-2.3-INVALID-VERSION', 'RFC9112-2.3-HTTP09-REQUEST','COMP-ASTERISK-WITH-GET','COMP-OPTIONS-STAR', - 'COMP-CONNECT-EMPTY-PORT','COMP-CONNECT-ORIGIN-FORM','COMP-ABSOLUTE-FORM', + 'COMP-ABSOLUTE-FORM', 'COMP-METHOD-CASE','COMP-REQUEST-LINE-TAB', 'COMP-VERSION-MISSING-MINOR','COMP-VERSION-LEADING-ZEROS', 'COMP-VERSION-WHITESPACE','COMP-HTTP12-VERSION', @@ -48,7 +48,7 @@ Each test sends a request that violates a specific **MUST** or **MUST NOT** requ 'COMP-CHUNKED-TRAILER-VALID','COMP-CHUNKED-HEX-UPPERCASE' ]}, { key: 'methods-upgrade', label: 'Methods & Upgrade', testIds: [ - 'COMP-METHOD-CONNECT','COMP-METHOD-CONNECT-NO-PORT', + 'COMP-METHOD-CONNECT', 'COMP-UNKNOWN-TE-501','COMP-EXPECT-UNKNOWN','COMP-METHOD-TRACE', 'COMP-TRACE-WITH-BODY', 'COMP-UPGRADE-POST','COMP-UPGRADE-MISSING-CONN', diff --git a/docs/content/docs/request-line/_index.md b/docs/content/docs/request-line/_index.md index a5e19df..ee5e2c8 100644 --- a/docs/content/docs/request-line/_index.md +++ b/docs/content/docs/request-line/_index.md @@ -25,9 +25,7 @@ Note this is a SHOULD, not a MUST. The RFC recommends 400 but does not mandate i {{< card link="asterisk-with-get" title="ASTERISK-WITH-GET" subtitle="Asterisk-form (*) with non-OPTIONS method." >}} {{< card link="options-star" title="OPTIONS-STAR" subtitle="OPTIONS * — valid asterisk-form request." >}} {{< card link="unknown-te-501" title="UNKNOWN-TE-501" subtitle="Unknown Transfer-Encoding without CL." >}} - {{< card link="connect-empty-port" title="CONNECT-EMPTY-PORT" subtitle="CONNECT with empty port in authority-form." >}} {{< card link="method-connect" title="METHOD-CONNECT" subtitle="CONNECT to an origin server must be rejected." >}} - {{< card link="method-connect-no-port" title="METHOD-CONNECT-NO-PORT" subtitle="CONNECT without port in authority-form." >}} {{< /cards >}} ### Unscored diff --git a/docs/content/docs/request-line/connect-empty-port.md b/docs/content/docs/request-line/connect-empty-port.md deleted file mode 100644 index 5fe9c68..0000000 --- a/docs/content/docs/request-line/connect-empty-port.md +++ /dev/null @@ -1,87 +0,0 @@ ---- -title: "CONNECT-EMPTY-PORT" -description: "CONNECT-EMPTY-PORT test documentation" -weight: 11 ---- - -| | | -|---|---| -| **Test ID** | `COMP-CONNECT-EMPTY-PORT` | -| **Category** | Compliance | -| **RFC** | [RFC 9112 Section 3.2.3](https://www.rfc-editor.org/rfc/rfc9112#section-3.2.3) | -| **Requirement** | MUST reject | -| **Expected** | `400` or close | - -## What it sends - -`CONNECT host: HTTP/1.1` — authority-form with empty port. - -```http -CONNECT localhost: HTTP/1.1\r\n -Host: localhost:\r\n -\r\n -``` - -The authority-form has a colon but no port number. - - -## What the RFC says - -> "The 'authority-form' of request-target is only used for CONNECT requests. It consists of only the uri-host and port number of the tunnel destination, separated by a colon (':')." -- RFC 9112 §3.2.3 - -> "authority-form = uri-host ':' port" -- RFC 9112 §3.2.3 - -An empty port (the colon is present but no digits follow) does not satisfy the `port` production rule, making this an invalid authority-form. Since the request-target does not match the required grammar, the server should reject it with `400`. - -## Why it matters - -CONNECT with an empty port is syntactically invalid. Accepting it could cause undefined proxy behavior. - -## Deep Analysis - -### Relevant ABNF Grammar - -``` -request-line = method SP request-target SP HTTP-version -request-target = origin-form / absolute-form / authority-form / asterisk-form -authority-form = uri-host ":" port -port = *DIGIT -``` - -The `authority-form` requires a `uri-host`, a literal colon, and a `port`. While the `port` production technically allows zero digits (`*DIGIT`), RFC 3986 Section 3.2.3 clarifies that the URI scheme defines the semantics of the port component, and HTTP requires a valid port number for CONNECT tunnel establishment. - -### RFC Evidence - -**RFC 9112 Section 3.2.3** defines the authority-form restriction: - -> "The 'authority-form' of request-target is only used for CONNECT requests (Section 9.3.6 of [HTTP])." -- RFC 9112 Section 3.2.3 - -**RFC 9112 Section 3.2.3** specifies what the client must send: - -> "When making a CONNECT request to establish a tunnel through one or more proxies, a client MUST send only the host and port of the tunnel destination as the request-target." — RFC 9112 Section 3.2.3 - -**RFC 9112 Section 3** provides the fallback for invalid request-lines: - -> "Recipients of an invalid request-line SHOULD respond with either a 400 (Bad Request) error or a 301 (Moved Permanently) redirect with the request-target properly encoded." -- RFC 9112 Section 3 - -### Chain of Reasoning - -1. The `authority-form` grammar requires `uri-host ":" port`. The CONNECT method mandates that the request-target contain "the host and port of the tunnel destination." -2. In `CONNECT localhost: HTTP/1.1`, the colon is present but the port component is empty (zero digits). -3. While `*DIGIT` technically matches zero digits at the ABNF level, the semantic requirement is clear: a CONNECT request must identify a tunnel destination with both host **and** port. An empty port does not identify a destination. -4. The RFC requires the client to send "only the host and port" -- an empty port means no port was specified, violating this requirement. -5. A server that accepts this must guess the port (e.g., defaulting to 80 or 443), which creates ambiguity in tunnel establishment. - -### Scoring Justification - -**Scored (MUST).** The RFC mandates that CONNECT targets include both host and port. An empty port violates the MUST requirement that the client "send only the host and port of the tunnel destination." A server that accepts an empty port is processing a syntactically incomplete authority-form, which could lead to undefined proxy behavior. The test expects `400` or connection close. - -### Edge Cases - -- **Port 0:** `CONNECT host:0 HTTP/1.1` is syntactically valid (port = 1*DIGIT) but semantically meaningless since port 0 is reserved. Most servers should reject this. -- **Port > 65535:** `CONNECT host:99999 HTTP/1.1` matches the ABNF but exceeds the valid TCP port range. Servers should validate the numeric range. -- **Trailing colon with spaces:** `CONNECT host: HTTP/1.1` would be parsed as a request-line where the space after the colon is the SP delimiter. The port is still empty. - -## Sources - -- [RFC 9112 Section 3.2.3](https://www.rfc-editor.org/rfc/rfc9112#section-3.2.3) diff --git a/docs/content/docs/request-line/connect-origin-form.md b/docs/content/docs/request-line/connect-origin-form.md deleted file mode 100644 index 1bb89c1..0000000 --- a/docs/content/docs/request-line/connect-origin-form.md +++ /dev/null @@ -1,87 +0,0 @@ ---- -title: "CONNECT-ORIGIN-FORM" -description: "CONNECT-ORIGIN-FORM test documentation" -weight: 18 ---- - -| | | -|---|---| -| **Test ID** | `COMP-CONNECT-ORIGIN-FORM` | -| **Category** | Compliance | -| **RFC** | [RFC 9112 §3.2.3](https://www.rfc-editor.org/rfc/rfc9112#section-3.2.3) | -| **Requirement** | MUST | -| **Expected** | `400` or close | - -## What it sends - -A CONNECT request that uses origin-form (`/path`) instead of the required authority-form (`host:port`). - -```http -CONNECT /path HTTP/1.1\r\n -Host: localhost:8080\r\n -\r\n -``` - -## What the RFC says - -> "The 'authority-form' of request-target is only used for CONNECT requests. It consists of only the uri-host and port number of the tunnel destination, separated by a colon (':')." -- RFC 9112 §3.2.3 - -> "When making a CONNECT request to establish a tunnel through one or more proxies, a client MUST send only the host and port of the tunnel destination as the request-target." -- RFC 9112 §3.2.3 - -> "CONNECT uses a special form of request target, unique to this method, consisting of only the host and port number of the tunnel destination, separated by a colon." -- RFC 9110 §9.3.6 - -The CONNECT method establishes a tunnel to the destination identified by the request-target. The target must be in authority-form (`host:port`), not origin-form (`/path`). A CONNECT request with `/path` is syntactically invalid because the server cannot determine the tunnel endpoint. - -## Why it matters - -If a server accepts a CONNECT request with origin-form, it may attempt to establish a tunnel to an unintended destination, or worse, process it as a regular proxied request. This confusion between request forms can be exploited to bypass access controls, reach internal services, or cause Server-Side Request Forgery (SSRF) through a misconfigured proxy. - -## Deep Analysis - -### Relevant ABNF Grammar - -``` -request-line = method SP request-target SP HTTP-version -request-target = origin-form / absolute-form / authority-form / asterisk-form -authority-form = uri-host ":" port -origin-form = absolute-path [ "?" query ] -``` - -CONNECT exclusively requires `authority-form`. The `origin-form` (`/path`) is reserved for non-CONNECT, non-OPTIONS requests to origin servers. Using origin-form with CONNECT is a category error -- the wrong request-target production for the method. - -### RFC Evidence - -**RFC 9112 Section 3.2.3** restricts CONNECT to authority-form: - -> "The 'authority-form' of request-target is only used for CONNECT requests (Section 9.3.6 of [HTTP])." -- RFC 9112 Section 3.2.3 - -**RFC 9112 Section 3.2.3** mandates what clients must send: - -> "When making a CONNECT request to establish a tunnel through one or more proxies, a client MUST send only the host and port of the tunnel destination as the request-target." -- RFC 9112 Section 3.2.3 - -**RFC 9110 Section 9.3.6** reinforces the target format from the semantics side: - -> "CONNECT uses a special form of request target, unique to this method, consisting of only the host and port number of the tunnel destination, separated by a colon." -- RFC 9110 Section 9.3.6 - -### Chain of Reasoning - -1. The RFC defines four request-target forms and maps each to specific methods: origin-form for general requests, absolute-form for proxy requests, authority-form for CONNECT, and asterisk-form for server-wide OPTIONS. -2. CONNECT is the **only** method that uses authority-form, and authority-form is the **only** valid form for CONNECT. This is a bidirectional restriction. -3. `CONNECT /path HTTP/1.1` uses origin-form instead of authority-form. The `/path` string cannot be parsed as `uri-host ":" port` -- it lacks both a host component and a port. -4. A server cannot determine a tunnel destination from `/path`. There is no host, no port, and no colon separator. -5. If the server interprets `/path` as a resource path rather than a tunnel target, it may confuse CONNECT with a regular request, leading to SSRF or access control bypass. - -### Scoring Justification - -**Scored (MUST).** The RFC uses explicit MUST language: clients "MUST send only the host and port of the tunnel destination." An origin-form target like `/path` fundamentally violates this requirement because it does not contain a host or port. A server that accepts this is processing an invalid request-target form for the method, creating a parsing ambiguity with serious security implications. - -### Edge Cases - -- **CONNECT /host:port HTTP/1.1:** Even if the path happens to look like `host:port`, it starts with `/`, making it origin-form rather than authority-form. The leading slash disqualifies it. -- **CONNECT http://host:port/ HTTP/1.1:** This would be absolute-form, not authority-form. While it contains host and port information, the RFC explicitly requires authority-form for CONNECT. -- **CONNECT host:port/path HTTP/1.1:** The trailing `/path` makes this invalid authority-form since `authority-form = uri-host ":" port` has no path component. - -## Sources - -- [RFC 9112 §3.2.3 -- CONNECT](https://www.rfc-editor.org/rfc/rfc9112#section-3.2.3) -- [RFC 9110 Section 9.3.6 -- CONNECT](https://www.rfc-editor.org/rfc/rfc9110#section-9.3.6) diff --git a/docs/content/docs/request-line/method-connect-no-port.md b/docs/content/docs/request-line/method-connect-no-port.md deleted file mode 100644 index 68f36b3..0000000 --- a/docs/content/docs/request-line/method-connect-no-port.md +++ /dev/null @@ -1,90 +0,0 @@ ---- -title: "METHOD-CONNECT-NO-PORT" -description: "METHOD-CONNECT-NO-PORT test documentation" -weight: 13 ---- - -| | | -|---|---| -| **Test ID** | `COMP-METHOD-CONNECT-NO-PORT` | -| **Category** | Compliance | -| **RFC** | [RFC 9112 Section 3.2.3](https://www.rfc-editor.org/rfc/rfc9112#section-3.2.3) | -| **Requirement** | MUST reject | -| **Expected** | `400` or close | - -## What it sends - -`CONNECT example.com HTTP/1.1` — a CONNECT request with authority-form that is missing the required port. - -```http -CONNECT example.com HTTP/1.1\r\n -Host: example.com\r\n -\r\n -``` - -The CONNECT target uses the hostname without a port number. - - -## What the RFC says - -> "The 'authority-form' of request-target is only used for CONNECT requests. It consists of only the uri-host and port number of the tunnel destination, separated by a colon (':')." -- RFC 9112 §3.2.3 - -> "authority-form = uri-host ':' port" -- RFC 9112 §3.2.3 - -> "CONNECT uses a special form of request target, unique to this method, consisting of only the host and port number of the tunnel destination, separated by a colon. There is no default port; a client MUST send the port number even if the CONNECT request is based on a URI reference that contains an authority component with an elided port." -- RFC 9110 §9.3.6 - -The authority-form grammar requires both host and port separated by a colon. Omitting the port entirely makes the request-target invalid. - -## Why it matters - -A server or proxy that accepts CONNECT without a port must guess the target port, which can lead to unexpected connections. This is a parsing ambiguity that could be exploited for SSRF or port confusion attacks. - -## Deep Analysis - -### Relevant ABNF Grammar - -``` -request-line = method SP request-target SP HTTP-version -request-target = origin-form / absolute-form / authority-form / asterisk-form -authority-form = uri-host ":" port -port = *DIGIT -``` - -The `authority-form` production requires three components: a `uri-host`, a literal colon (`":"`), and a `port`. In `CONNECT example.com HTTP/1.1`, the request-target is `example.com` -- there is no colon and no port. This does not match the `authority-form` grammar, nor does it match any other valid `request-target` form for the CONNECT method. - -### RFC Evidence - -**RFC 9112 Section 3.2.3** defines the authority-form grammar and its restriction: - -> "The 'authority-form' of request-target is only used for CONNECT requests (Section 9.3.6 of [HTTP])." -- RFC 9112 Section 3.2.3 - -**RFC 9112 Section 3.2.3** mandates what the client must send: - -> "When making a CONNECT request to establish a tunnel through one or more proxies, a client MUST send only the host and port of the tunnel destination as the request-target." -- RFC 9112 Section 3.2.3 - -**RFC 9110 Section 9.3.6** explicitly prohibits port elision: - -> "CONNECT uses a special form of request target, unique to this method, consisting of only the host and port number of the tunnel destination, separated by a colon. There is no default port; a client MUST send the port number even if the CONNECT request is based on a URI reference that contains an authority component with an elided port." -- RFC 9110 Section 9.3.6 - -### Chain of Reasoning - -1. The `authority-form` ABNF requires `uri-host ":" port`. A request-target of `example.com` (no colon, no port) does not match this production. -2. RFC 9110 Section 9.3.6 contains an exceptionally explicit MUST: "There is no default port; a client MUST send the port number." This leaves no room for interpretation. -3. The RFC specifically addresses the case where a URI reference has an elided port (e.g., `http://example.com` where port 80 is implied). Even then, the client MUST send the port explicitly in the CONNECT target. -4. `CONNECT example.com HTTP/1.1` does not match any valid request-target form. It is not authority-form (no colon), not origin-form (no leading `/`), not absolute-form (no scheme), and not asterisk-form (not `*`). -5. A server that accepts this must infer a default port, creating a security-critical ambiguity in tunnel destination. - -### Scoring Justification - -**Scored (MUST).** This is one of the most explicit requirements in the HTTP specification. RFC 9110 Section 9.3.6 states "There is no default port; a client MUST send the port number." The authority-form grammar also requires the port component. A server that accepts a CONNECT without a port is violating both the grammar and an explicit MUST, and is guessing the tunnel destination, which has direct SSRF implications. - -### Edge Cases - -- **Implied port from scheme:** Even if the client intends port 443 for HTTPS, the RFC requires explicit `CONNECT example.com:443 HTTP/1.1`. Port inference is not permitted. -- **IPv6 without port:** `CONNECT [::1] HTTP/1.1` -- the IPv6 address is in brackets but there is no colon-port suffix. This is equally invalid because the port is missing. -- **Host header as fallback:** A server might attempt to extract the port from the Host header (`Host: example.com:443`). This is non-compliant because the request-target itself must contain the port. -- **Ambiguity with other forms:** Without a colon, `example.com` could be confused with a partial URI or hostname. Only the presence of `host:port` format unambiguously identifies this as authority-form. - -## Sources - -- [RFC 9112 Section 3.2.3](https://www.rfc-editor.org/rfc/rfc9112#section-3.2.3) diff --git a/docs/static/probe/render.js b/docs/static/probe/render.js index 2cee4b2..09d38b3 100644 --- a/docs/static/probe/render.js +++ b/docs/static/probe/render.js @@ -60,7 +60,6 @@ window.ProbeRender = (function () { 'COMP-CHUNKED-EXTENSION': '/Http11Probe/docs/body/chunked-extension/', 'COMP-CHUNKED-MULTI': '/Http11Probe/docs/body/chunked-multi/', 'COMP-CHUNKED-NO-FINAL': '/Http11Probe/docs/body/chunked-no-final/', - 'COMP-CONNECT-EMPTY-PORT': '/Http11Probe/docs/request-line/connect-empty-port/', 'COMP-DUPLICATE-HOST-SAME': '/Http11Probe/docs/host-header/duplicate-host-same/', 'COMP-EXPECT-UNKNOWN': '/Http11Probe/docs/headers/expect-unknown/', 'COMP-GET-WITH-CL-BODY': '/Http11Probe/docs/body/get-with-cl-body/', @@ -69,7 +68,6 @@ window.ProbeRender = (function () { 'COMP-LEADING-CRLF': '/Http11Probe/docs/line-endings/leading-crlf/', 'COMP-METHOD-CASE': '/Http11Probe/docs/request-line/method-case/', 'COMP-METHOD-CONNECT': '/Http11Probe/docs/request-line/method-connect/', - 'COMP-METHOD-CONNECT-NO-PORT': '/Http11Probe/docs/request-line/method-connect-no-port/', 'COMP-METHOD-TRACE': '/Http11Probe/docs/request-line/method-trace/', 'COMP-OPTIONS-STAR': '/Http11Probe/docs/request-line/options-star/', 'COMP-POST-CL-BODY': '/Http11Probe/docs/body/post-cl-body/', @@ -166,7 +164,6 @@ window.ProbeRender = (function () { 'COMP-CHUNKED-HEX-UPPERCASE': '/Http11Probe/docs/body/chunked-hex-uppercase/', 'COMP-CHUNKED-TRAILER-VALID': '/Http11Probe/docs/body/chunked-trailer-valid/', 'COMP-CONNECTION-CLOSE': '/Http11Probe/docs/headers/connection-close/', - 'COMP-CONNECT-ORIGIN-FORM': '/Http11Probe/docs/request-line/connect-origin-form/', 'COMP-HOST-EMPTY-VALUE': '/Http11Probe/docs/host-header/host-empty-value/', 'COMP-HTTP10-DEFAULT-CLOSE': '/Http11Probe/docs/headers/http10-default-close/', 'COMP-HTTP10-NO-HOST': '/Http11Probe/docs/host-header/http10-no-host/', diff --git a/src/Http11Probe.Cli/Reporting/DocsUrlMap.cs b/src/Http11Probe.Cli/Reporting/DocsUrlMap.cs index a613d5c..4e91440 100644 --- a/src/Http11Probe.Cli/Reporting/DocsUrlMap.cs +++ b/src/Http11Probe.Cli/Reporting/DocsUrlMap.cs @@ -53,15 +53,12 @@ internal static class DocsUrlMap // request-line ["COMP-ABSOLUTE-FORM"] = "request-line/absolute-form", ["COMP-ASTERISK-WITH-GET"] = "request-line/asterisk-with-get", - ["COMP-CONNECT-EMPTY-PORT"] = "request-line/connect-empty-port", - ["COMP-CONNECT-ORIGIN-FORM"] = "request-line/connect-origin-form", ["RFC9112-3.2-FRAGMENT-IN-TARGET"] = "request-line/fragment-in-target", ["RFC9112-2.3-HTTP09-REQUEST"] = "request-line/http09-request", ["COMP-HTTP12-VERSION"] = "request-line/http12-version", ["RFC9112-2.3-INVALID-VERSION"] = "request-line/invalid-version", ["COMP-METHOD-CASE"] = "request-line/method-case", ["COMP-METHOD-CONNECT"] = "request-line/method-connect", - ["COMP-METHOD-CONNECT-NO-PORT"] = "request-line/method-connect-no-port", ["COMP-METHOD-TRACE"] = "request-line/method-trace", ["RFC9112-3-MISSING-TARGET"] = "request-line/missing-target", ["RFC9112-3-MULTI-SP-REQUEST-LINE"] = "request-line/multi-sp-request-line", diff --git a/src/Http11Probe/TestCases/Suites/ComplianceSuite.cs b/src/Http11Probe/TestCases/Suites/ComplianceSuite.cs index b9f4463..4f89951 100644 --- a/src/Http11Probe/TestCases/Suites/ComplianceSuite.cs +++ b/src/Http11Probe/TestCases/Suites/ComplianceSuite.cs @@ -458,20 +458,6 @@ public static IEnumerable GetTestCases() } }; - yield return new TestCase - { - Id = "COMP-CONNECT-EMPTY-PORT", - Description = "CONNECT with empty port must be rejected", - Category = TestCategory.Compliance, - RfcReference = "RFC 9112 §3.2.3", - PayloadFactory = ctx => MakeRequest($"CONNECT {ctx.Host}: HTTP/1.1\r\nHost: {ctx.Host}:\r\n\r\n"), - Expected = new ExpectedBehavior - { - ExpectedStatus = StatusCodeRange.Exact(400), - AllowConnectionClose = true - } - }; - // ── Body / Content-Length / Chunked ────────────────────────── yield return new TestCase @@ -693,21 +679,6 @@ public static IEnumerable GetTestCases() } }; - yield return new TestCase - { - Id = "COMP-METHOD-CONNECT-NO-PORT", - Description = "CONNECT without port in authority-form must be rejected", - Category = TestCategory.Compliance, - RfcReference = "RFC 9112 §3.2.3", - PayloadFactory = _ => MakeRequest( - "CONNECT example.com HTTP/1.1\r\nHost: example.com\r\n\r\n"), - Expected = new ExpectedBehavior - { - ExpectedStatus = StatusCodeRange.Exact(400), - AllowConnectionClose = true - } - }; - // ── Expect ────────────────────────────────────────────────── yield return new TestCase @@ -983,21 +954,6 @@ public static IEnumerable GetTestCases() } }; - yield return new TestCase - { - Id = "COMP-CONNECT-ORIGIN-FORM", - Description = "CONNECT with origin-form target (/path) must be rejected — CONNECT requires authority-form", - Category = TestCategory.Compliance, - RfcReference = "RFC 9112 §3.2.3", - PayloadFactory = ctx => MakeRequest( - $"CONNECT /path HTTP/1.1\r\nHost: {ctx.HostHeader}\r\n\r\n"), - Expected = new ExpectedBehavior - { - ExpectedStatus = StatusCodeRange.Exact(400), - AllowConnectionClose = true - } - }; - yield return new TestCase { Id = "COMP-HTTP12-VERSION", diff --git a/src/Servers/NancyServer/Program.cs b/src/Servers/NancyServer/Program.cs index 4a51298..d261f39 100644 --- a/src/Servers/NancyServer/Program.cs +++ b/src/Servers/NancyServer/Program.cs @@ -21,5 +21,7 @@ public HomeModule() { Get("/{path*}", _ => "OK"); Get("/", _ => "OK"); + Post("/{path*}", _ => "OK"); + Post("/", _ => "OK"); } }