Lighttpd

No byte in a UTF-8 string is in the range 1 to 31, if it doesn't contain characters in the range 1 to 31. or, in other words, each ascii byte you see is exactly what you see. the bytes in the "not-ascii" part of an utf-8 string always have the highest bit set.

Of the ctl characters only tab (and space) are allowed, unless quoted and escaped, according to rfc2616 (LWS doesn't count as content).

as the quote rules are broken, i don't see a reason to allow them. (the rules don't enforce handling \ as escape, which allows different interpretations).

I can't agree with you. I analyzed the request headers from heavily loaded production and noticed that there are lots of requests with cookies which contain control symbols like 13, 19, 5:
__utma=73945862.738618813.1325098444.1325098444.1325098444.1; __utmz=73945862.1325098444.1.1.utmcsr=begun|utmccn=Begun:%205@<0=8O|utmcmd=cpc|utmctr=0@5=40%2002B>%202>%20D@0=:DC@B5|

I think it's just not right to throw error code 400 and reject consequent client requests.

I think it is right to reject such requests. and i have the rfc on my side.

In lighttpd 1.4.40, you can now set server.http-parseopt-header-strict = "disable"

With the default (strict header parsing enabled), lighttpd 1.4.x will return 400 Bad Request for such a request.