fix: ensure -pr http11 disables HTTP/2 fallback

[innerpeace609]

This PR fixes issue #2240 where the -pr http11 flag was being ignored due to the underlying transport falling back to HTTP/2. I have explicitly disabled ForceAttemptHTTP2 and cleared TLSNextProto in the transport configuration when the http11 protocol is selected.

/claim #2240

Summary by CodeRabbit

• Bug Fixes
  • Enhanced HTTP protocol configuration to prevent unintended HTTP/2 connections in HTTP/1.1 mode.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a2b8fb26-6032-4f01-966d-7c4993e2d858

📥 Commits

Reviewing files that changed from the base of the PR and between 73afc60 and 5391895.

📒 Files selected for processing (1)

• common/httpx/httpx.go

---

Walkthrough

A single line is added to explicitly disable HTTP/2 attempt at the transport level by setting ForceAttemptHTTP2 = false when HTTP/1.1 protocol is configured, supplementing existing HTTP/2 disablement mechanisms.

Changes

Cohort / File(s)	Summary
HTTP Transport Configuration common/httpx/httpx.go	Added explicit HTTP/2 disablement via transport.ForceAttemptHTTP2 = false when Protocol is http11, reinforcing existing HTTP/2 prevention mechanisms.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 With whiskers twitching, one line we see,
HTTP/2 shall not be!
Transport forced to stay at one,
The battle for HTTP/1 is won! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: explicitly disabling HTTP/2 fallback when http11 protocol is selected, which directly addresses the PR's core objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[neo-by-projectdiscovery-dev]

Neo - PR Security Review

No security issues found

Highlights

• Adds explicit ForceAttemptHTTP2 = false to HTTP transport configuration when http11 protocol is selected
• Fixes issue -pr http11 flag is ignored on retryablehttp-go due to HTTP/2 fallback #2240 where HTTP/2 fallback was occurring despite user specifying HTTP/1.1 protocol
• Ensures protocol selection is properly enforced for security testing scenarios

Hardening Notes

• The Protocol value is validated via command-line flags and converted through httpx.Proto(), preventing injection of arbitrary protocol strings
• This change improves the tool's reliability for security researchers who need to test HTTP/1.1-specific behaviors
• No scanner findings from TruffleHog, Semgrep, or ast-grep

_{Comment @pdneo help for available commands. · Open in Neo}