fix(http11): disable retryable HTTP/2 fallback path

[Tianlin0725]

Proposed Changes

Honor explicit -pr http11 intent by disabling retryable HTTP/2 fallback client in httpx.

• Keep existing HTTP/1.1 enforcement in transport (GODEBUG=http2client=0 + TLSNextProto override).
• Additionally set httpx.client.HTTPClient2 = nil when protocol is http11 so retryablehttp-go cannot silently switch to HTTP/2 fallback path.
• Add regression test TestHTTP11ShouldDisableRetryableHTTP2Fallback.

Proof

Repro/failing behavior before fix

Added test:

func TestHTTP11ShouldDisableRetryableHTTP2Fallback(t *testing.T) {
  opts := DefaultOptions
  opts.Protocol = "http11"
  ht, _ := New(&opts)
  require.Nil(t, ht.client.HTTPClient2)
}

Before fix:

go test ./common/httpx -run "HTTP11ShouldDisableRetryableHTTP2Fallback" -count=1
--- FAIL: TestHTTP11ShouldDisableRetryableHTTP2Fallback
Expected nil, but got: &http.Client{...}

After fix:

go test ./common/httpx -run "HTTP11ShouldDisableRetryableHTTP2Fallback" -count=1
ok  github.com/projectdiscovery/httpx/common/httpx

go test ./common/httpx -count=1
ok  github.com/projectdiscovery/httpx/common/httpx

/claim #2240

Summary by CodeRabbit

• Bug Fixes
  • Improved HTTP/1.1 protocol handling to correctly disable HTTP/2 client fallback when configured for HTTP/1.1.

[neo-by-projectdiscovery-dev]

Neo - PR Security Review

No security issues found

Highlights

• Sets HTTPClient2 to nil when protocol is 'http11' to prevent silent HTTP/2 fallback
• Adds regression test TestHTTP11ShouldDisableRetryableHTTP2Fallback to verify enforcement
• Ensures httpx honors explicit -pr http11 flag for security testing scenarios

_{Comment @neo help for available commands. · Open in Neo}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9113251b-9473-45aa-8609-b44fc9f8653c

📥 Commits

Reviewing files that changed from the base of the PR and between ed0f6af and 16e61f1.

📒 Files selected for processing (2)

• common/httpx/httpx.go
• common/httpx/httpx_test.go

---

Walkthrough

Adds conditional cleanup to disable the secondary HTTP/2 client when the HTTP protocol is configured as HTTP/1.1, preventing HTTP/2 fallback behavior. A corresponding test validates this behavior by asserting the secondary client is nil when HTTP/1.1 is selected.

Changes

Cohort / File(s)	Summary
HTTP/1.1 Protocol Handling common/httpx/httpx.go, common/httpx/httpx_test.go	Sets HTTPClient2 to nil when protocol is http11 to disable secondary HTTP/2 client. Adds test TestHTTP11ShouldDisableRetryableHTTP2Fallback to verify the fallback is disabled.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A rabbit hops through protocol lands,
Where HTTP/1.1 makes its stand,
"Farewell to HTTP/2!" we declare,
With nil assignment and testing care,
Simpler paths, cleaner and fair! 🐰

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarizes the main change: disabling the HTTP/2 fallback path when HTTP/1.1 protocol is explicitly set.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}