HTTP/2 implementations often respond to suspected attacks by closing the connection with an ENHANCE_YOUR_CALM error code. Learn how a common pattern of using Go's HTTP/2 client can lead to unintended errors and the solution to avoiding them.

Cloudflare's platform is a leading provider of internet security and performance solutions, offering insights into web security, content delivery, and DNS management. Through documentation, blog posts, and webinars, Cloudflare provides insights into protecting websites and applications from cyber threats and improving performance. Developers and IT professionals can learn about CDN (Content Delivery Network), DDoS mitigation, and firewall configurations to secure and accelerate web traffic.

Cloudflare

Cloudflare engineers discovered that Go's HTTP/2 client implementation sends unnecessary RST_STREAM and PING frames when closing response bodies without reading them first, even when empty. This behavior triggered Cloudflare's PING flood DDoS mitigations, causing connections to close with ENHANCE_YOUR_CALM errors. The solution is to always fully read response bodies using io.Copy(io.Discard, resp.Body) before closing them, especially when reusing connections for multiple requests. The issue highlights how legitimate HTTP/2 client behavior can inadvertently mimic attack patterns and trigger security defenses.

Go and enhance your calm: demolishing an HTTP/2 interop problem

HTTP/2 is powerful – but it can be easy to misuse

Solving a microservice miscommunication mystery