Rack 3.0 HTTP/2 headers format

[Strech]

Starting Rack 3.0 it's enforced at least in development mode to conform with HTTP/2 specification. It's touching in many aspects of the response and especially on header keys format.

It's recommended/enforced to have lower-case header keys in response. Technically, HTTP spec defines header keys as case-insensitive

Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive.
https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2

At the same time it's a potentially-dangerous move:

I think requiring lower case headers has the potential to break lots of rack applications, frameworks, and middleware. However, it would also simplify a lot of code in the long run. Since HTTP/2 requires it and HTTP/1 works fine with it, it seems a reasonable change for SPEC. I definitely prefer this approach over requiring that response headers be case insensitive.
(by jeremyevans)

But I think we should keep an 👀 on that progress.

Note

In AppSec we return 403 response if InApp-WAF rule triggered and blocked the request. We have camel-case headers set in response object.

---

Thanks @y9v for investigation support