Skip to content

Return HTTP 403 for blocked CONNECT requests to stop client retry storms#14

Merged
bbrowning merged 1 commit intomainfrom
http-403-for-blocked-connect
Apr 2, 2026
Merged

Return HTTP 403 for blocked CONNECT requests to stop client retry storms#14
bbrowning merged 1 commit intomainfrom
http-403-for-blocked-connect

Conversation

@bbrowning
Copy link
Copy Markdown
Owner

@bbrowning bbrowning commented Apr 2, 2026

ConnectReject with no ctx.Resp caused a bare TCP close, which HTTP
clients (npm, etc.) interpreted as a transient error and retried in a
tight loop. Setting ctx.Resp to a 403 response gives clients a clear
signal that the request was intentionally denied. Uses a generic message
across all reject paths to avoid leaking policy details to the client.

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

@bbrowning @claude
Return HTTP 403 for blocked CONNECT requests to stop client retry storms
8ad83e8 
ConnectReject with no ctx.Resp caused a bare TCP close, which HTTP
clients (npm, etc.) interpreted as a transient error and retried in a
tight loop. Setting ctx.Resp to a 403 response gives clients a clear
signal that the request was intentionally denied. Uses a generic message
across all reject paths to avoid leaking policy details to the client.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@bbrowning bbrowning merged commit 850c235 into main Apr 2, 2026
6 checks passed
@bbrowning bbrowning deleted the http-403-for-blocked-connect branch April 2, 2026 20:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bbrowning