Respect RFC 9112 during filtering out headers from a REST Response

[suchwerk]

Describe the bug

With #49894 Transfer-Encoding is already stripped. But this seams not to be sufficient when processing Response or RestResponse

Header	RFC 9112 Reference	Reason to Strip
Connection	§7.6	Declares hop-by-hop headers; forwarding can break compliance.
Keep-Alive	§7.6	Connection duration management; hop-specific.
Proxy-Authenticate	§7.6	Proxy-only auth; not end-to-end.
Proxy-Authorization	§7.6	Proxy-only auth; not end-to-end.
TE	§7.6	Hop-specific transfer encoding negotiation.
Trailer	§7.6	Only relevant for chunked transfer; hop-specific.
Transfer-Encoding	§6.1	Must not be duplicated; runtime will handle chunked encoding.
Upgrade	§7.6	Protocol upgrade only affects current connection.
Content-Length	§6.1, §6.3	If Transfer-Encoding is present, must be removed to prevent conflicts.

At least Content-Length should also be removed if Transfer-Encoding is removed.

RFC 9112, Section 6.1 – Transfer-Encoding:

A sender MUST NOT send a Content-Length header field in any message that contains a Transfer-Encoding header field.

Expected behavior

These headers should not be forwarded from a Response.

Actual behavior

With #49894 Transfer-Encoding is already stripped.

[quarkus-bot]

/cc @FroMage (rest)

[geoand]

I'd appreciate input from @FroMage on this

[FroMage]

To be honest, I'm not entirely sure whether they should be stripped because the underlying layer will set them, or exactly the opposite and they should be respected and not overridden by the underlying layer.

Although at the moment, I suspect they are probably ignored by the underlying layer which wlil happily do its own other thing, which is bad.

[suchwerk]

@FroMage For my understanding of RFC 9112 §7.6 and §6.3, hop-by-hop headers like Transfer-Encoding, Connection, and Content-Length must not be forwarded by intermediaries. They should be stripped and left to the HTTP layer (Vert.x) to set correctly. Respecting them from the JAX-RS Response is what causes the duplicate/invalid headers we’re seeing.

[FroMage]

That sounds like the logical thing to do indeed. At least until someone comes up with a use-case for driving this from the endpoint.

[suchwerk]

Well thinking like this:

JAX-RS Response = “What data and metadata does the client see?”
Vert.x HTTP Server = “How is this data transmitted over the wire?”

If you try to force hop-by-hop headers from JAX-RS, you’re stepping into Vert.x’ responsibility — and you’ll get duplication, invalid states, or ignored headers.

So if you want to set hop-by-hop headers you should it do on Vert.x' side.