In no particular order:
- If a client sends an ‘Authorization’ request header that is not processed, TIdHTTPServer now sends an HTTP 401 response instead of closing the socket connection.
- When sending a response to a client, TIdHTTPResponseInfo.SetHeaders() now sets ‘WWW-Authenticate’ and ‘Proxy-Authenticate’ headers if the TIdHTTPResponseInfo.WWWAuthenticate and/or TIdHTTPResponseInfo.ProxyAuthenticate properties are not empty. Previously, these properties were only hooked up for requests, not responses. This now allows users to define their own authentication types (for use with the TIdHTTPServer.OnParseAuthentication event) without having to use the TIdHTTPResponseInfo.CustomHeaders property. TIdHTTPServer still sends a ‘WWW-Authenticate: Basic’ header if the TIdHTTPResponseInfo.AuthRealm property is assigned a non-empty value, but only if the TIdHTTPResponseInfo.WWWAuthenticate property is empty.
- TIdHTTPServer now fires the OnDoneWithPostStream event after sending a response, if the ARequestInfo.PostStream property is still assigned. Previously, OnDoneWithPostStream was fired only when parsing ‘application/x-www-form-urlencoded’ data before firing an OnCommand… event.
- TIdHTTPRangeStream, TIdHTTPResponseInfo, and TIdCustomHTTPServer now use IdDisposeAndNil() instead of FreeAndNil() if a TStream is marked as owned and needs to be freed.