150300 HTTP Request Smuggling

Hi, just looking for some advice here.

I have a concerned client who uses Qualys Vulnerability Scan on a Roots / Bedrock / Trellis website. They are particularly concerned about the “150300 HTTP Request Smuggling” threat flagged by Qualys, which is outside my area of expertise. I don’t see any concern about this in the Trellis community so I’d be hesitant to do things any differently, but I just thought I’d raise the issue and hopefully alleviate my client’s concerns.

I’m guessing that this vulnerability is something that could be patched by adjusting our Trellis / Nginx configuration. The most common recommendation is to disable HTTP/1.0 but I’d be very hesitant to do that, as I have no idea of the repercussions.

Can anyone offer any advice here?

We are currently running Trellis 1.20.1. Thank you.