An attacker can send a crafted request like GET /protected with a Host: example.com/health?x= header. The request will reach the /proteced path, but request.url would be https://example.com/health?x=/protected, and request.url.path would return /health instead of the real request path.
Even though I prefer htmx, another emerging gravity is what LLMs are good at.
LLM-based coding/debugging/planning is a thing and going to stay, and if there are less code-bases to train LLMs, any new language/framework will be at disadvantage.
An attacker can send a crafted request like GET /protected with a Host: example.com/health?x= header. The request will reach the /proteced path, but request.url would be https://example.com/health?x=/protected, and request.url.path would return /health instead of the real request path.