openshift · jmanthei · Mar 25, 2026 · jcmoraisjr · Apr 13, 2026 · jmanthei
diff --git a/modules/rn-ocp-release-notes-fixed-issues.adoc b/modules/rn-ocp-release-notes-fixed-issues.adoc
@@ -106,7 +106,11 @@ Instructions: Add entries in the following format under the appropriate heading:
 [id="rn-ocp-release-note-networking-fixed-issues_{context}"]
 == Networking
 
+* Previously, the OpenShift router rejected HTTP/1.1 WebSocket and `CONNECT` upgrade requests that contained a payload with a `501 Not Implemented` response. With this update, HTTP/1.1 upgrade requests with a payload are accepted. HTTP/2 upgrade requests with a payload continue to be rejected.
 
+* Previously, the OpenShift router did not process TLS 1.3 early data (0-RTT) until the TLS handshake was complete. With this update, early data is processed immediately, which improves connection performance for TLS 1.3 clients.
+
+* Previously, HTTP/2 header values with leading or trailing whitespace were passed through by the OpenShift router without modification. With this update, leading and trailing linear whitespace in HTTP/2 header values is automatically trimmed. This fix is transparent and does not affect application behavior.
 
 [id="clock-state-metrics_{context}"]
 == Clock state metrics degrade correctly after upstream clock loss

diff --git a/modules/rn-ocp-release-notes-notable-changes.adoc b/modules/rn-ocp-release-notes-notable-changes.adoc
@@ -12,3 +12,25 @@ Item description::
 Detailed information.
 ////
 
+== Networking
+
+Empty `Transfer-Encoding` header rejection::
++
+Previously, the OpenShift router accepted HTTP/1.1 requests with an empty `Transfer-Encoding` header. With this update, requests with an empty `Transfer-Encoding` header are rejected with a `400 Bad Request` response to enforce stricter HTTP protocol compliance.
+
+Forbidden characters in `Host` header rejection::
++
+Previously, the OpenShift router accepted HTTP requests that contained forbidden characters such as `/`, `?`, `#`, or `@` in the `Host` header field. With this update, requests with these characters in the `Host` header are rejected with a `400 Bad Request` response.
+
+Forbidden characters in `:authority` pseudo-header rejection::
++
+Previously, the OpenShift router accepted HTTP/2 requests that contained special characters in the `:authority` pseudo-header before reassembly. With this update, these requests are rejected with an error to enforce stricter protocol compliance.
+
+HTTP/2 header value whitespace trimming::
++
+Previously, HTTP/2 header values with leading or trailing whitespace were passed through by the OpenShift router without modification. With this update, leading and trailing linear whitespace in HTTP/2 header values is automatically trimmed. This fix is transparent and does not affect application behavior.
+
+Uppercase `Z` in HTTP/2 header field names rejection::
++
+Previously, the OpenShift router accepted the uppercase letter `Z` in HTTP/2 header field names, which violated HTTP/2 protocol requirements that header field names must be lowercase. With this update, HTTP/2 requests that contain uppercase `Z` in header field names are rejected.
+