Regarding Limitations and Security we write in our documentation (https://doc.qt.io/qt-6/qthttpserver-index.html#limitations-and-security):
"Qt HTTP Server does not have many of the more advanced features and optimizations that general-purpose HTTP servers have. It also has not seen the same scrutiny regarding various attack vectors over the network. Use Qt HTTP Server, therefore, only for local connections or in a trusted network, and do not expose the ports to the internet."

It would be great to test as many attack vectors ourself to see how big the problems are, to document them and possibly fix them.

This task is a continuation and extension of QTBUG-75087: Basic protection against DDoS, flooding, brute-force.

Setup

QHttpServer is not a finished application but a library that needs to be completed with callbacks that actually handle the requests:

QHttpServer server;

server.route("/", [] () {
    return "hello world";
}); 

For the purpose of testing QHttpServer we should set up a simple server example that covers most use cases that our users might have (responding with files from disk, responding with generated data, simple responses). Also consider asynchronous callbacks and various standards (http1/1.1/2).

Testing

We should test the simple server example with the common attack vectors for server (needs to be researched). The server should not freeze, it should not crash, and it should keep consistent and correct with replies.

Reporting

We should record and report which attack vectors are potentially successful for which forms of callbacks. Make a documentation of the tools and methods used for testing and a guideline on how to repeat them. If we can harden QHttpServer internally we should do so, if specific callbacks or hardening thereof is required, we should make some remarks in the documentation.