Please tell me if there are any standards for the design strategy of the cases and what is the reason for still reporting "OK" despite the response code being 200

[sunnie-star]

Thank you very much for your work. I have two questions that I would like to ask you. Could you please answer them? Thank you very much!

Q1: Different agents may have different strategies for parsing headers and handling TE CL. How to design cases that are not too aggressive, but can truly intercept the risk of smuggling vulnerabilities

Q2: When I was testing the HTTP smuggling vulnerability interception function of my web server, when the response code was 200, there was no potential risk of displaying tecl or clte by this tool. However, if the interception was successful, it should be a response of 400 bad request. Could you please explain why the tool only displays tecl or clte risk when timeout according to your code?

Thank you very much again!