Most HTTP vulnerabilities don’t come from sophisticated attacks. They come from misunderstanding where your framework stops protecting you. This covers the edge cases that actually bite production APIs: Range headers, path traversal, encoding conflicts, and request smuggling