oh yeah... http metadata, its annoying how every client / http implementation includes different defaults. the browser will automatically include a lot of extra headers where as curl wont add anything

It might be worth being more strict on things like bad auth headers or missing content-length header since that "might" help the clients start to implement those things