A flaw was found in Netty, where whitespace before the colon in HTTP headers is mishandled. This flaw allows an attacker to cause HTTP request smuggling.
Use HTTP/2 instead (clear boundaries between requests)
Disable reuse of backend connections eg.
http-reuse never
in HAProxy or whatever equivalent LB settings