Ktor HEAD Request Fails with "expected 0 bytes but received 20" Error I'm trying to perform a simple HEAD request in Ktor (with OkHttp engine) to retrieve headers, but encountering an unexpected error. My Retrofit implementation works perfectly, but Ktor consistently throws an IOException. Specific details: - Using Ktor 3.0.0-rc-1 with OkHttp engine on the Android Side - Attempting to make a HEAD request to retrieve specific header values - Error:

java.io.IOException: expected 0 bytes but received 20

- Retrofit code works without issues - I've tried multiple configuration approaches, including: - Disabling plugins - Creating fresh HttpClient - Configuring engine settings - I even used OkHttp directly and it worked: val

client = OkHttpClient.Builder().followRedirects(true).build()

- I am not trying to use neither OkHttp or Retrofit because the project is Multiplatform Code snippet demonstrating the issue:

suspend fun getHeaderValue(header: String): String? {
    return client.head(url) {
        // Add headers
    }.headers[header]
}

Has anyone encountered similar issues with Ktor HEAD requests? Any insights into why this might be happening or how to resolve it?

What are the 20 bytes returned?

The "20 bytes" typically indicates some minimal response content that's being inadvertently read during the HEAD request, which should normally have no body. I wasn't really able to log them when I do this

val result = client.head(url)
println(".....")

the println won't be reached as of the Retrofit Impl this is what returns as headers

headers: content-type: application/json
accept-ranges: bytes
cache-control: max-age=60
content-disposition: attachment; filename="019.mp3"; filename*=UTF-8''019.mp3
content-security-policy: sandbox
pragma: public
referrer-policy: no-referrer
vary: Origin, Accept-Encoding
x-content-security-policy: sandbox
x-content-type-options: nosniff
x-robots-tag: noindex, nofollow, noimageindex
x-server-response-time: 344
x-webkit-csp: sandbox
date: Wed, 27 Nov 2024 13:12:49 GMT
server: envoy
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-encoding: gzip
x-dropbox-response-origin: far_remote
x-dropbox-request-id: ca79bc683b3049588f8d4be94d37e7e4

try a

curl --head -v <url>

to maybe get some more output.

what is that?

a command line tool for network requests https://de.wikipedia.org/wiki/CURL

* Trying 162.125.69.18:443... * Connected to www.dropbox.com (162.125.69.18) port 443 * ALPN: curl offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 * ALPN: server accepted h2 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=Dropbox, Inc; CN=*.dropbox.com * start date: Nov 12 000000 2024 GMT * expire date: Dec 8 235959 2025 GMT * subjectAltName: host "www.dropbox.com" matched cert's "*.dropbox.com" * issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1 * SSL certificate verify ok. * using HTTP/2 * [HTTP/2] [1] OPENED stream for https://www.dropbox.com/scl/fi/ydgdlw9sa01beir9x4jz/113.mp3?rlkey=s92qiy4ew7y7260xqkg8y2wsb&dl=1 * [HTTP/2] [1] [method HEAD] * [HTTP/2] [1] [scheme https] * [HTTP/2] [1] [authority www.dropbox.com] * [HTTP/2] [1] [path /scl/fi/ydgdlw9sa01beir9x4jz/113.mp3?rlkey=s92qiy4ew7y7260xqkg8y2wsb&dl=1] * [HTTP/2] [1] [user-agent: curl/8.4.0] * [HTTP/2] [1] [accept: /]

HEAD /scl/fi/ydgdlw9sa01beir9x4jz/113.mp3?rlkey=s92qiy4ew7y7260xqkg8y2wsb&dl=1 HTTP/2

Host: www.dropbox.com

User-Agent: curl/8.4.0

Accept: /

< HTTP/2 302 HTTP/2 302 < content-security-policy: frame-ancestors 'self' https://*.dropbox.com ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; base-uri 'self' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; font-src https://* data: ; img-src https://* data: blob: ; media-src https://* blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; child-src https://www.dropbox.com/static/serviceworker/ blob: content-security-policy: frame-ancestors 'self' https://*.dropbox.com ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; base-uri 'self' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; font-src https://* data: ; img-src https://* data: blob: ; media-src https://* blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; child-src https://www.dropbox.com/static/serviceworker/ blob: < content-type: text/html; charset=utf-8 content-type: text/html; charset=utf-8 < location: https://uc3a641717d29544fbdf06084463.dl.dropboxusercontent.com/cd/0/inline/CfMU4AnjYnNjFLkIyBcpvK9TugEc1HTnsbaT6bcRw0QQ2r1aR5kwqkEkUzvyrnucalGJBf4zNcPUpqt0TUxzgEWd-LcZ-3UagoCXeOk74UJLYdJ2a47RDGkR8Vv6VE8YS-tid2Oq6syMMsymRp-gHb6O/file?dl=1# location: https://uc3a641717d29544fbdf06084463.dl.dropboxusercontent.com/cd/0/inline/CfMU4AnjYnNjFLkIyBcpvK9TugEc1HTnsbaT6bcRw0QQ2r1aR5kwqkEkUzvyrnucalGJBf4zNcPUpqt0TUxzgEWd-LcZ-3UagoCXeOk74UJLYdJ2a47RDGkR8Vv6VE8YS-tid2Oq6syMMsymRp-gHb6O/file?dl=1# < pragma: no-cache pragma: no-cache < referrer-policy: strict-origin-when-cross-origin referrer-policy: strict-origin-when-cross-origin < set-cookie: gvc=MTMxNzU1MjEyNTI1NTQzNjQ5ODY4NTIyMDE5Nzg0Mzc5MTU2MzM3; Path=/; Expires=Tue, 27 Nov 2029 070223 GMT; HttpOnly; Secure; SameSite=None set-cookie: gvc=MTMxNzU1MjEyNTI1NTQzNjQ5ODY4NTIyMDE5Nzg0Mzc5MTU2MzM3; Path=/; Expires=Tue, 27 Nov 2029 070223 GMT; HttpOnly; Secure; SameSite=None < set-cookie: t=IuikxkhMkHtLwG4WahUEpyi4; Path=/; Domain=dropbox.com; Expires=Fri, 28 Nov 2025 070223 GMT; HttpOnly; Secure; SameSite=None set-cookie: t=IuikxkhMkHtLwG4WahUEpyi4; Path=/; Domain=dropbox.com; Expires=Fri, 28 Nov 2025 070223 GMT; HttpOnly; Secure; SameSite=None < set-cookie: __Host-js_csrf=IuikxkhMkHtLwG4WahUEpyi4; Path=/; Expires=Fri, 28 Nov 2025 070223 GMT; Secure; SameSite=None set-cookie: __Host-js_csrf=IuikxkhMkHtLwG4WahUEpyi4; Path=/; Expires=Fri, 28 Nov 2025 070223 GMT; Secure; SameSite=None < set-cookie: __Host-ss=pSoJcCP_Y0; Path=/; Expires=Fri, 28 Nov 2025 070223 GMT; HttpOnly; Secure; SameSite=Strict set-cookie: __Host-ss=pSoJcCP_Y0; Path=/; Expires=Fri, 28 Nov 2025 070223 GMT; HttpOnly; Secure; SameSite=Strict < set-cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Tue, 27 Nov 2029 070223 GMT set-cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Tue, 27 Nov 2029 070223 GMT < x-content-type-options: nosniff x-content-type-options: nosniff < x-permitted-cross-domain-policies: none x-permitted-cross-domain-policies: none < x-robots-tag: noindex, nofollow, noimageindex x-robots-tag: noindex, nofollow, noimageindex < x-xss-protection: 1; mode=block x-xss-protection: 1; mode=block < content-length: 17 content-length: 17 < date: Thu, 28 Nov 2024 070223 GMT date: Thu, 28 Nov 2024 070223 GMT < strict-transport-security: max-age=31536000; includeSubDomains strict-transport-security: max-age=31536000; includeSubDomains < server: envoy server: envoy < cache-control: no-cache, no-store cache-control: no-cache, no-store < x-dropbox-response-origin: far_remote x-dropbox-response-origin: far_remote < x-dropbox-request-id: 192c443f48884e1ca7289b9b95c49406 x-dropbox-request-id: 192c443f48884e1ca7289b9b95c49406 < * Connection #0 to host www.dropbox.com left intact

Can you please share an endpoint to where you made the HEAD request? Can you please try to use the latest released version 3.0.1?

I am currently using the latest version 3.0.1 this is one of the endpoints: https://www.dropbox.com/scl/fi/ygify4ps6mcdm147uyy9u/005.mp3?rlkey=ibpl8qbgvcby7cjv6ra2zxs2q&amp;dl=1 it's just a mp3 file I tried an online mp3 file: https://file-examples.com/storage/feb06822a967475629bfe71/2017/11/file_example_MP3_700KB.mp3 and the error didn't happen, maybe it has to do with dropbox ?

The beginning of the 20 bytes read from the response body contains the GZIP signature bytes. Unfortunately, I haven't found a way to avoid the exception apart from switching to another Ktor engine.

like what? what other engines can i use in android?

The Android engine.

thank you