Instead of the current ban on Content-Length from CGI-like modules, we could let these headers through and validate the length in some core filter, making sure a short or long response results in a terminated connection. This would replace the whitelisting via ap_trust_cgilike_cl