HTTP Request Smuggling (Score 2, Informative)

I RTFA and the white paper. Worth mentioning here (I searched the first 108 comments and saw no mention of this):

- HTTPS is not affected

The white paper, while seemingly complete and well written, mentions this almost in passing near the end of the document. That may cause many readers, if they simply skim the paper, to miss this critical point. Further, it discounts using HTTPS as "...an impractical solution".

If security is engineered into your site from the beginning, there's nothing at all impractical about using HTTPS.