Invalid HTTP/2 request headers return 400 Bad Request instead of GOAWAY

[pjfanning]

akka/akka-http#4227 is now available under Apache license

See #960 and #59

[pjfanning]

there are 5 test failures in org.apache.pekko.http.impl.engine.http2.H2SpecIntegrationSpec - I may have made a mistake in code but it could be that this change just breaks these tests

the test failures look legit in that they fail because bad headers now cause Bad Request response instead of a GOAWAY DataFrame.

I'm not sure why the akka-http PR does not include a change to the H2SpecIntegrationSpec and there are no other changes to it in the 10.5.0 release

[jrudolph]

In a recent run in akka-http these tests show all up as IGNORED, so I think they are/were not checked.

Details

2026-02-24T03:04:35.5020464Z Coroner Thread Count starts at 18 in akka.http.impl.engine.http2.H2SpecIntegrationSpec
2026-02-24T03:04:35.5036204Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[32mH2Spec�[0m�[0m
2026-02-24T03:04:36.5972122Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[32m- must pass rule: 3.5. HTTP/2 Connection Preface (1 second, 92 milliseconds)�[0m�[0m
2026-02-24T03:04:36.5979381Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[33m- must pass rule: 4.2. Frame Size !!! IGNORED !!!�[0m�[0m
2026-02-24T03:04:36.5982585Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[33m- must pass rule: 4.3. Header Compression and Decompression !!! IGNORED !!!�[0m�[0m
2026-02-24T03:04:36.5985984Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[33m- must pass rule: 5.1. Stream States !!! IGNORED !!!�[0m�[0m
2026-02-24T03:04:36.5989295Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[33m- must pass rule: 5.1.1. Stream Identifiers !!! IGNORED !!!�[0m�[0m
2026-02-24T03:04:36.5991111Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[33m- must pass rule: 5.1.2. Stream Concurrency !!! IGNORED !!!�[0m�[0m
2026-02-24T03:04:36.6041990Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[32m- must pass rule: 5.3. Stream Priority (5 milliseconds)�[0m�[0m
2026-02-24T03:04:36.6607309Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[32m- must pass rule: 5.3.1. Stream Dependencies (54 milliseconds)�[0m�[0m
2026-02-24T03:04:36.6610671Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[33m- must pass rule: 5.5. Extending HTTP/2 !!! IGNORED !!!�[0m�[0m
2026-02-24T03:04:36.6611730Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[33m- must pass rule: 6.1. DATA !!! IGNORED !!!�[0m�[0m
2026-02-24T03:04:36.7498817Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[32m- must pass rule: 6.2. HEADERS (90 milliseconds)�[0m�[0m
2026-02-24T03:04:36.7514341Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[33m- must pass rule: 6.3. PRIORITY !!! IGNORED !!!�[0m�[0m
2026-02-24T03:04:36.8131924Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[32m- must pass rule: 6.4. RST_STREAM (61 milliseconds)�[0m�[0m
2026-02-24T03:04:36.8811820Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[32m- must pass rule: 6.5. SETTINGS (66 milliseconds)�[0m�[0m
2026-02-24T03:04:36.8813831Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[33m- must pass rule: 6.5.2. Defined SETTINGS Parameters !!! IGNORED !!!�[0m�[0m
2026-02-24T03:04:36.9313964Z �[0m[�[0m�[0minfo�[0m] �[0m�[0m�[32m- must pass rule: 6.7. PING (50 milliseconds)�[0m�[0m

[jrudolph]

I'd say the test failures are somewhat legit. Right now these kind of parsing errors are all treated with a 400 Bad Request response. However, the cases flagged by the test are all cases of transport/protocol style errors that a valid client should not make (wrong-pseudo headers, illegal usage of TE). So, there's a case to be made to answer these with a RST_STREAM(PROTOCOL_ERROR). Usually, 400 responses are used for application level header / request problems less than for transport layer problems (basically, the client application now gets a nice error message but cannot do anything about it because the client library is broken).

Not terribly important, so could also make sense to list the failing tests as pending and create an issue to look into changing the behavior for these particular cases.