Somewhat traditional CE.TE request smuggling attack on a few of Apple’s domains. The main trick with this one was to place a \n in the Transfer-Encoding header name. So the full header being Transfer-Encoding\n : chunked This allowed the TE header to be smuggled through any checks on the frontend and still be parsed by the backend server.